Delve accused of misleading customers with ‘fake compliance’

A anonymous Substack post published this week accuses the startup of compliance Dive of “falsely” convincing “hundreds of customers that they were compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and significant fines under GDPR.”

Delve is a Y Combinator-backed startup that last year announced it raised a $32 million Series A at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the allegations on his blogcalling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”

The Substack post is attributed to “DeepDelver,” who described himself as working for a (now former) Delve customer.

DeepDelver said he received an email in December claiming the startup had “leaked a spreadsheet of confidential customer reports.” While Delve CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no outside party would gain access to sensitive data, DeepDelver said they and other customers had grown suspicious.

“Because we had the shared experience of being unimpressed with the Delve experience, and because we had a general feeling that something strange was going on, we decided to pool resources and investigate together,” they wrote.

Their conclusion? That Delve “lives up to its claim to be the fastest platform by producing bogus evidence, generating auditor conclusions on behalf of certification factories that publish rubber-stamped reports, and skipping important framework requirements while telling customers they have achieved 100% compliance.”

DeepDelver went into these claims in quite some detail, accusing the startup of providing customers with “fabricated evidence from board meetings, tests, and processes that never happened,” and then forcing those customers to “choose between taking fake evidence or performing mostly manual work with little real automation or AI.”

DeepDelver also alleged that virtually all of Delve’s clients appear to have gone through two accounting firms, Accorp and Gradient, which they describe as “part of the same operation,” a company that operates primarily in India, with only a nominal presence in the United States.

Those companies, they said, are just rubber reports generated by Delve. As a result, DeepDelver says the startup is ‘inverting’ the normal compliance structure: “By generating auditor conclusions, test procedures and final reports before an independent assessment takes place, Delve places itself in the role of both executor and examiner. This is not a technical detail. It is a structural fraud that invalidates the entire attestation.”

In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps these customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”

DeepDelver said that while their company was discussing the issues with Delve, the startup “already sent us multiple boxes of donuts to keep us happy.” Nevertheless, DeepDelver’s employer is said to have unpublished its trust page and no longer relies on the startup for compliance.

Delve responded to the allegations by saying it does not issue compliance reports at all. Instead, it is an “automation platform” that ingests compliance information and then gives auditors access to that information.

“Final reports and opinions are issued only by independent, certified auditors, and not by Delve,” the company said.

Delve also said its clients “can choose to work with an auditor of their choice or work with an auditor from Delve’s network of independent, accredited third-party audit firms.” Those auditors, the startup said, are “established companies that are widely used across the industry, including by other compliance platforms.”

In response to the accusation that it provides customers with “fake evidence,” Delve countered that it simply offers “templates to help teams document their processes in accordance with compliance requirements, just like other compliance platforms.”

“Draft templates are not the same as ‘pre-populated evidence,’” the company said.

Delve added that it is “actively investigating any possible leaks” and “is still assessing the Substack.”

After the first Substack post, an X user named James Zhou said they were able to access sensitive information from Delve, such as employee background checks and stock acquisition schedules. Dvuln founder Jamieson O’Reilly more details shared about what O’Reilly said was a conversation with Zhou about “several gaping security holes in Delve’s external attack surface.”

TechCrunch sent an email requesting additional comment to the media contact address listed on Delve’s website. The email was bounced, but I received a calendar invite to a “Delve Demo” later this week. TechCrunch has also reached out to DeepDelver for additional comment.