Delve accused of misleading customers with ‘fake compliance’ Anthony Ha 10:00 AM PDT · March 21, 2026 An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers they were compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and hefty fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced raising a $32 million Series A at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the accusations on its blog , calling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”
The Substack post is credited to “DeepDelver,” who described themselves as working at a (now former) Delve client.
DeepDelver recounted receiving an email in December claiming the startup had “leaked a spreadsheet with confidential client reports.” While Delve CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no external party gained access to sensitive data, DeepDelver said they and other customers had become suspicious.
“Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.”
DeepDelver went into considerable detail about those claims, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” then forcing those customers to “choose between adopting fake evidence or performing mostly manual work with little real automation or AI.”
Techcrunch event Disrupt 2026: The tech ecosystem, all in one room Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400. Save up to $300 or 30% to TechCrunch Founder Summit 1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately Offer ends March 13. San Francisco, CA | October 13-15, 2026 REGISTER NOW DeepDelver also claimed that virtually all of Delve’s clients seem to have gone through two audit firms, Accorp and Gradient, which they described as “part of the same operation,” one that operates primarily in India, with only a nominal presence in the United States.
Those firms, they said, are just rubber-stamping reports that were generated by Delve. As a result, DeepDelver said the startup “inverts” the normal compliance structure: “By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation.”
In addition to accusing Delve of misleading its customers, DeepDelver said the startup is helping those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”
DeepDelver said that while their company was discussing its issues with Delve, the startup “sent us multiple boxes of donuts already to keep us happy.” Nonetheless, DeepDelver’s employer supposedly unpublished its trust page and no longer relies on the startup for compliance.
Delve responded to the accusations by saying it does not issue compliance reports at all. Instead, it’s an “automation platform” that ingests information about compliance, then provides auditors with access to that information.
“Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” the company said.
Delve also said that its customers “can opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms.” Those auditors, the startup said, are “established firms used broadly across the industry, including by other compliance platforms.”
In response to the accusation that it’s providing customers with “fake evidence,” Delve countered that it’s simply offering “templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms.”
___________________________________________________________________________________________________________
-- --
PLEASE LIKE IF YOU FOUND THIS HELPFUL TO SUPPORT OUR FORUM.
