Delve Customer Hit by Major Security Breach

The saga surrounding compliance startup Delve continues to unravel with new developments, as the company finds itself at the center of multiple security incidents and allegations.

TechCrunch has confirmed that Delve was the compliance firm responsible for handling security certifications for Context AI, the AI agent training startup that recently disclosed a security incident leading to a data breach at major app and website hosting platform Vercel. Meanwhile, Lovable, another company that experienced its own security issue, has confirmed it is no longer a Delve customer.

To recap the timeline: Last month, Delve faced intense scrutiny after an anonymous whistleblower, known as DeepDelver, alleged the startup was fabricating customer data and relying on rubber-stamping auditors in its compliance processes. Delve has consistently denied these claims.

Shortly after, hackers targeted one of Delve’s certification clients, LiteLLM, planting malware in its open-source code. LiteLLM subsequently told TechCrunch it was terminating its relationship with Delve and seeking re-certification elsewhere. Delve was also accused of appropriating an open-source tool without proper license attribution. These incidents damaged the startup’s reputation, leading Y Combinator, where Delve was an alumnus, to sever ties.

The situation escalated last weekend when Vercel announced that hackers had breached its internal systems after an employee downloaded an app from Context AI and linked it to Vercel’s corporate Google account. The attackers exploited that employee’s Google account access to infiltrate Vercel’s systems.

Following Vercel’s disclosure, Gergely Orosz, author of the Pragmatic Engineer newsletter, posted on X that Delve had handled Context AI’s security certification. Context AI has now confirmed to TechCrunch that it was indeed a Delve customer but has since moved on. “Yes, Context was previously a Delve customer,” a spokesperson said. “Following the reporting surrounding Delve in March, we transitioned our compliance program to Vanta and engaged Insight Assurance, an independent audit firm, to conduct new examinations. We began updating our public materials and will share the new attestation when it is complete.”

It’s important to understand that security certifications alone do not prevent breaches. They are designed to verify that a company has established policies and processes to mitigate attacks and reduce the risk of customer data exposure.

Consider Lovable: It was a Delve customer but, after the whistleblower’s allegations surfaced, the vibe-coding platform said it had dropped the startup back in late 2025. Lovable has since completed one security certification and is in the process of redoing others. Yet, on Monday, Lovable admitted it had inadvertently exposed customer chat data publicly and had dismissed vulnerability reports that flagged the issue months earlier. The company apologized for initially denying the breach, attributing it to a configuration error rather than a hack.

Adding to the intrigue, the whistleblower DeepDelver has published another post alleging that Delve was denying refunds to customers while taking its team of over 20 people on an offsite trip to Hawaii between April 15 and April 19. DeepDelver shared receipts with TechCrunch that support the claim of a Hawaii trip, though other allegations could not be independently verified.

Delve did not respond to requests for comment, and an email to its media relations address bounced.