Compliance Startup Delve Accused of "Fake Compliance as a Service" Amid Claims of Fraud and Security Lapses

A burgeoning compliance startup, Delve, backed by prestigious accelerator Y Combinator and boasting a $300 million valuation, finds itself embroiled in a severe controversy following an anonymous Substack post that alleges widespread "fake compliance as a service." The post, published this week by an entity identifying as "DeepDelver," claims Delve has "falsely" assured "hundreds of customers they were compliant" with critical privacy and security regulations, potentially exposing these clients to "criminal liability under HIPAA and hefty fines under GDPR."

Delve, which made headlines last year after announcing a $32 million Series A funding round led by Insight Partners, swiftly moved to refute the accusations. In a blog post published on Friday, the company labeled the Substack claims "misleading" and asserted that the post "contains a number of inaccurate claims," attempting to quell the burgeoning storm of concern.

The gravity of the allegations cannot be overstated, touching upon the very foundation of trust in the compliance industry. DeepDelver, who described themselves as a former employee of a Delve client, paints a damning picture of a company that allegedly prioritizes speed over integrity, with potentially dire consequences for its user base. Compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA), which governs the privacy and security of patient health information, and the General Data Protection Regulation (GDPR), a stringent data privacy and security law in the European Union, is not merely a formality; it is a legal imperative carrying significant legal and financial risks for organizations that fail to adhere.

The seeds of suspicion, according to DeepDelver, were sown in December when a peculiar email surfaced, claiming that Delve had "leaked a spreadsheet with confidential client reports." While Delve CEO Karun Kaushik reportedly sent a subsequent email to customers, reassuring them of their compliance status and denying any external access to sensitive data, DeepDelver and other clients found themselves unconvinced. This incident served as a catalyst, prompting a collaborative investigation among dissatisfied customers.

"Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together," DeepDelver elaborated in their Substack post. The collective findings from this investigation led to a stark conclusion: Delve, they allege, "achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance."

DeepDelver delved into considerable detail regarding these accusations, asserting that the startup provided its customers with "fabricated evidence of board meetings, tests, and processes that never happened." This, they claim, forced customers into an unenviable position: "choose between adopting fake evidence or performing mostly manual work with little real automation or AI." The implication is that Delve’s much-touted automation capabilities were, in many instances, a veneer for non-existent or misrepresented compliance activities.

A particularly troubling aspect of DeepDelver’s exposé focuses on Delve’s relationship with auditing firms. The Substack post claims that nearly all of Delve’s clients utilized two specific audit firms: Accorp and Gradient. These firms are controversially described as "part of the same operation," predominantly active in India, with only a "nominal presence in the United States." DeepDelver contends that these firms essentially served as "rubber stamps," approving reports that were pre-generated by Delve itself.

This alleged arrangement, DeepDelver argues, fundamentally "inverts" the standard and legally mandated compliance structure. In a legitimate audit process, an independent third party examines a company’s internal controls and evidence to form an objective opinion on its compliance posture. However, DeepDelver alleges, "By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation." Such a practice, if proven true, would undermine the entire purpose of an independent audit, rendering any compliance certification issued under this model effectively worthless and potentially fraudulent.

Beyond misleading its direct customers, DeepDelver further accused Delve of assisting these clients in "misleading the public by hosting trust pages that contain security measures that were never implemented." Trust pages are public-facing declarations by companies, detailing their security and compliance frameworks, designed to build confidence with their users and partners. If these pages advertise security measures that are not actually in place, it constitutes a significant breach of trust and potentially deceptive business practice.

The Substack post also offered a peculiar anecdote: while DeepDelver’s company was grappling with its compliance issues with Delve, the startup reportedly "sent us multiple boxes of donuts […] to keep us happy." Despite this gesture, DeepDelver’s employer allegedly took decisive action, unpublishing its trust page and discontinuing its reliance on Delve for compliance services, indicating the severity of their concerns.

In its official response, Delve staunchly defended its business model and denied the core allegations. The company clarified its role, stating that it "does not issue compliance reports at all." Instead, Delve positions itself as an "automation platform" designed to streamline the compliance process by ingesting relevant information and providing auditors with secure access to that data. "Final reports and opinions are issued solely by independent, licensed auditors, not Delve," the company emphasized, seeking to distance itself from the responsibility of the ultimate compliance attestation.

Addressing the claims about its auditing partners, Delve stated that its customers "can opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms." The startup maintained that these auditors are "established firms used broadly across the industry, including by other compliance platforms," suggesting that Accorp and Gradient are legitimate players within the broader compliance ecosystem.

Regarding the accusation of providing "fake evidence," Delve countered that it merely offers "templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms." The company drew a clear distinction, asserting, "Draft templates are not the same as ‘pre-filled evidence,’" implying that their tools are for guidance and documentation, not for fabricating audit-ready materials. Delve concluded its initial response by stating it is "actively investigating any leaks" and is "still reviewing the Substack."

The controversy escalated further following the initial Substack post, with additional security concerns emerging on social media. An X user identified as James Zhou claimed to have gained unauthorized access to sensitive information from Delve, including employee background checks and equity vesting schedules. This claim was further elaborated upon by Dvuln founder Jamieson O’Reilly, who shared details from what he described as a conversation with Zhou. O’Reilly highlighted "several gaping security holes in Delve’s external attack surface," raising serious questions about the startup’s own internal security practices, particularly ironic for a company that purports to aid others in achieving security compliance.

In an attempt to gather further comment and clarity, TechCrunch reached out to the media contact address listed on Delve’s website. The email, however, bounced back, indicating a potential issue with their publicly listed contact information. Curiously, a calendar invite for a "Delve demo" was subsequently received later in the week, an unexpected development given the nature of the inquiry. TechCrunch has also extended an invitation for additional comment to DeepDelver, seeking to further understand the perspective of the anonymous accuser.

This unfolding saga presents a critical moment for Delve, its investors, and its hundreds of clients. The allegations, if substantiated, could lead to significant legal challenges, regulatory investigations, and severe reputational damage, not only for Delve but also for the client companies that relied on its services for their compliance needs. The compliance-as-a-service industry, designed to simplify complex regulatory landscapes for businesses, itself relies heavily on trust and the verifiable independence of its processes. The outcome of these accusations will undoubtedly send ripples throughout this rapidly growing sector.