Delve accused of misleading customers through ‘fake compliance’

An anonymous Substack post published this week accuses compliance startup Delve of “falsely convincing” “hundreds of customers” that they are in compliance with “privacy and security regulations,” potentially exposing those customers to “criminal liability under HIPAA and hefty fines under GDPR.”

Delve is a Y Combinator-backed startup that last year announced raising a $32 million Series A at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the accusations on its blog, calling Substack’s post “misleading” and saying it “contains a number of inaccurate claims.”

The Substack post is attributed to “DeepDelver,” who described himself as working for a (now former) Delve client. In response to email questions from TechCrunch, DeepDelver said that they and their collaborators “chose to remain anonymous for fear of retaliation from Delve.”

In their post, DeepDelver recounted receiving an email in December claiming that the startup had “leaked a spreadsheet containing confidential customer reports.” While Delve CEO Karun Kaushik assured customers in a later email that they were in compliance and that no outside party had access to sensitive data, DeepDelver said they and other customers became suspicious.

“After our shared experience of frustration with the Delve experience, and a general sense that something fishy was happening, we decided to pool resources and investigate together,” they wrote.

Their conclusion? Delve lives up to its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification factories that rubber-stamp reports, and skipping key framework requirements while telling clients they have achieved 100% compliance.

DeepDelver has gone into great detail about these allegations, accusing the startup of providing customers with “fabricated evidence of board meetings, testing, and operations that never happened,” and then forcing those customers to “choose between adopting fake evidence or performing mostly manual work with little real automation or artificial intelligence.”

DeepDeliver also claimed that almost all of Delph’s clients had gone through two audit firms, Accorp and Gradent, which it described as “part of the same operation”, a firm that operates primarily in India, with only a nominal presence in the US.

They said that these companies are just certified reports created by Delve. As a result, DeepDeliver said the startup is “upending” the normal compliance structure: “By generating auditors’ conclusions, testing procedures, and final reports before any independent review is conducted, DeepDeliver places itself in the role of both enforcer and examiner. This is not a technical issue. Rather, it is a structural fraud that invalidates the entire certification.”

In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”

DeepDelver said that while their company was discussing its issues with Delve, the startup sent us “several boxes of brownies […] To keep us happy.” However, DeepDelver’s employer has supposedly unpublished its trust page and is no longer relying on the startup for compliance.

Delve responded to the accusations by saying it does not issue compliance reports at all. Instead, it is an “automation platform” that ingests information about compliance, and then provides auditors with access to that information.

“Final reports and opinions are issued only by independent, licensed auditors, and not by Delve,” the company said.

Delve also said that its clients “can choose to work with an auditor of their choice or choose to work with an auditor from Delve’s network of independent, accredited third-party audit firms.” These auditors are “established companies that are widely used across the industry, including other compliance platforms,” the startup said.

In response to the accusation that it provides clients with “fake evidence,” Delve responded that it simply provides “templates to help teams document their processes against compliance requirements, as other compliance platforms do.”

“Draft forms are not like ‘pre-filled guides,’” the company said.

Delve added that it is “actively investigating any leaks” and “is still reviewing Substack.”

When asked about Delve’s response, DeepDelver told TechCrunch that they were “baffled by the laziness, foolishness, and rudeness of this response.”

“They’re trying to claw their way out [of] “They take responsibility by denying the existence of ‘pre-filled guides’ but calling them ‘templates’ instead, effectively shifting the blame onto customers for adopting the ‘templates’ as they are,” DeepDelver said. “They claim they are not the ones ‘issuing’ the report, which is easy to claim if you define issuing the report as providing finality.”

They added that there were “a number of very serious allegations” that Delve never addressed: “accusing India, lack of AI (they only talk about ‘automation’), and a trust page (lol) that had controls that were never implemented.”

DeepDelver clearly isn’t finished with his criticism, as he promised, “Part 2 will follow soon.”

Additionally, after the initial Substack post, an X user named James Zhou said they had access to sensitive information from Delve, such as employee background checks and stock vesting tables. Dvuln founder Jamieson O’Reilly shared more details from what O’Reilly said was a conversation with Zhou about “several significant vulnerabilities in Delve’s external attack surface.”

TechCrunch sent an email requesting additional comment to the media contact address listed on Delve’s website. The email bounced, but after publishing this article, I received a calendar invite for a “Delve Demo” later that week.

This post was first published on March 21, 2026. It has been updated with emailed answers from DeepDelver, additional information about the alleged vulnerabilities provided by Jamieson O’Reilly, and additional details about Delve’s response to TechCrunch.