Compliance Startup Delve Accused of "Fake Compliance as a Service," Exposing Hundreds of Clients to Significant Legal Risks

An anonymous Substack post, published this week under the moniker "DeepDelver," has unleashed a torrent of severe accusations against Delve, a prominent Y Combinator-backed compliance startup. The post alleges that Delve has "falsely" assured "hundreds of customers they were compliant" with critical privacy and security regulations, potentially exposing these clients to "criminal liability under HIPAA and hefty fines under GDPR." This claim has sent ripples through the tech and compliance sectors, raising serious questions about the integrity of automated compliance solutions.

Delve, a company that last year made headlines for raising a substantial $32 million Series A funding round at an impressive $300 million valuation – a round notably led by Insight Partners – quickly moved to address the allegations. On Friday, the startup published a blog post on its official website, attempting to refute the accusations. Delve characterized the anonymous Substack post as "misleading" and asserted that it "contains a number of inaccurate claims."

The author of the incendiary Substack post, "DeepDelver," identified themselves as an individual who worked at what is now a former client of Delve. In subsequent communication with TechCrunch via email, DeepDelver and their collaborators explained their decision to remain anonymous, citing a profound "fear for retaliation by Delve." This fear underscores the gravity with which the accusations are being made and perceived.

DeepDelver’s narrative began with a pivotal event in December, when they, along with other Delve clients, received an unsettling email. This email reportedly claimed that Delve had "leaked a spreadsheet with confidential client reports." While Delve’s CEO, Karun Kaushik, reportedly attempted to quell concerns in a follow-up email, assuring customers of their compliance and stating that no external party had gained access to sensitive data, DeepDelver and several other customers grew suspicious.

"Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together," DeepDelver elaborated in their post. This collective skepticism among clients laid the groundwork for a deeper, collaborative inquiry into Delve’s operations and claims.

The investigation, according to DeepDelver, led to a damning conclusion: Delve "achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance." This sweeping indictment suggests a systemic issue rather than isolated incidents.

DeepDelver delved into considerable detail regarding these claims, accusing the startup of providing its customers with "fabricated evidence of board meetings, tests, and processes that never happened." Furthermore, the post alleged that Delve then compelled these customers to "choose between adopting fake evidence or performing mostly manual work with little real automation or AI." This forced choice, if true, places clients in a precarious position, potentially compromising their genuine compliance efforts.

A significant part of DeepDelver’s exposé focused on Delve’s relationship with audit firms. The post claimed that virtually all of Delve’s clients appear to have engaged two specific audit firms: Accorp and Gradient. DeepDelver described these firms as being "part of the same operation," operating primarily from India with only a "nominal presence in the United States." The core accusation here is that these firms are not conducting independent audits but are merely "rubber-stamping reports that were generated by Delve."

This alleged practice, DeepDelver argued, fundamentally "inverts" the normal compliance structure. "By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner," the post asserted. DeepDelver stressed that this is not a mere "technicality" but "a structural fraud that invalidates the entire attestation." The implications of such a system for regulatory compliance and corporate accountability are profound, suggesting that the certifications obtained through Delve’s platform might be legally meaningless.

Beyond misleading its direct customers, DeepDelver also accused Delve of helping these customers "mislead the public by hosting trust pages that contain security measures that were never implemented." These trust pages, often displayed prominently by companies to assure their users of their security posture, would, under these allegations, be disseminating false information, further eroding trust.

DeepDelver recounted a peculiar incident during their company’s discussions with Delve regarding its issues. Delve reportedly "sent us multiple boxes of donuts […] to keep us happy." Despite this unusual gesture, DeepDelver’s employer ultimately decided to unpublish its trust page and has since ceased relying on the startup for its compliance needs, indicating a clear loss of confidence.

In its official response, Delve staunchly defended its operations. The company stated that it "does not issue compliance reports at all." Instead, Delve clarified its role as an "automation platform" designed to ingest information pertinent to compliance and subsequently provide auditors with access to that data. "Final reports and opinions are issued solely by independent, licensed auditors, not Delve," the company emphasized, seeking to distance itself from the final certification process.

Delve further asserted that its customers retain agency in their choice of auditing partners. Clients "can opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms," the startup stated. Regarding the legitimacy of the auditors within its network, Delve claimed these are "established firms used broadly across the industry, including by other compliance platforms," aiming to counter the "certification mills" accusation.

Addressing the serious claim of providing customers with "fake evidence," Delve countered that it merely offers "templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms." The company drew a clear distinction, stating, "Draft templates are not the same as ‘pre-filled evidence.’" This explanation attempts to reframe the alleged "fake evidence" as a standard tool for documentation. Delve also indicated that it is "actively investigating any leaks" and is "still reviewing the Substack" post.

When TechCrunch sought DeepDelver’s reaction to Delve’s official response, DeepDelver expressed extreme skepticism, stating they were "baffled by the laziness, clumsiness and brazenness of it." They specifically criticized Delve’s attempt to deflect responsibility: "They are trying to snake their way out [of] being held accountable by denying having ‘pre-filled evidence’ but calling it ‘templates’ instead, effectively shifting the blame to customers for adopting the ‘templates’ as is." DeepDelver also challenged Delve’s definition of "issuing" a report, arguing that it is "easy to claim if you define issuing a report as providing the final stamp," ignoring the alleged preparatory work done by Delve.

DeepDelver highlighted several "very serious allegations" that they claimed Delve failed to address entirely in its response. These include "The India accusation" regarding the audit firms Accorp and Gradient, "the lack of AI" in Delve’s platform (despite Delve only mentioning "automations"), and the crucial issue of "the trust (lol) page containing controls that were never implemented." This suggests a deeper dissatisfaction with the comprehensiveness and sincerity of Delve’s rebuttal. DeepDelver ominously promised that "Part II will follow soon," indicating that the full scope of their criticism has yet to be revealed.

The controversy deepened with additional security concerns surfacing after the initial Substack post. An X (formerly Twitter) user named James Zhou publicly claimed they were able to gain access to sensitive information from Delve, including employee background checks and equity vesting schedules. Following this, Dvuln founder Jamieson O’Reilly shared further details, reportedly from a conversation with Zhou, detailing "several gaping security holes in Delve’s external attack surface." These new revelations, if substantiated, would compound the startup’s challenges, shifting the focus from alleged compliance fraud to direct security vulnerabilities within its own systems.

TechCrunch attempted to contact Delve for additional comment via the media contact address listed on its website. The email initially bounced, an anomaly for a company of Delve’s profile. However, after the initial publication of this article, a calendar invite for a "Delve demo" later this week was received, indicating some form of communication or system activity from the company.

This post was initially published on March 21, 2026, and has since been updated to include emailed answers from DeepDelver, additional information regarding purported security vulnerabilities provided by Jamieson O’Reilly, and further details concerning Delve’s response to TechCrunch’s inquiries. The ongoing saga promises further developments as both parties continue to present their cases and external scrutiny intensifies.