Delve Faces Fake Compliance Allegations
▼ Summary
– An anonymous Substack post accuses Delve of falsely assuring customers they were compliant with regulations, exposing them to potential legal and financial penalties.
– The post, written by a former client, claims Delve fabricates evidence and uses audit firms that rubber-stamp reports without proper independent review.
– Delve refuted the accusations, stating it is an automation platform and that final compliance reports are issued solely by independent, licensed auditors.
– The startup stated it provides templates for documentation, not pre-filled evidence, and is investigating the alleged data leak mentioned in the post.
– TechCrunch reported that its attempt to contact Delve via its listed media email failed, as the message bounced.
A recent anonymous Substack post has leveled serious allegations against Delve, a Y Combinator-backed compliance automation startup. The author, using the pseudonym DeepDelver, claims the company misled hundreds of clients by falsely assuring them they were fully compliant with major regulations like HIPAA and GDPR, potentially exposing those businesses to legal risk and substantial fines. Delve, which raised a $32 million Series A round last year at a $300 million valuation, has publicly denounced the post as “misleading” and filled with inaccuracies.
DeepDelver identifies as an employee of a former Delve client. Their investigation began after receiving an email in December regarding a potential data leak involving confidential client reports. While Delve’s CEO, Karun Kaushik, reportedly assured customers that no external breach occurred and compliance was maintained, DeepDelver and other clients grew skeptical. They collaborated to examine the platform’s practices, forming a damning conclusion. Their report asserts that Delve achieves its speed claims by generating fabricated evidence, such as records of board meetings and tests that never occurred, and by having audit firms rubber-stamp reports without proper independent review.
The post details an alleged scheme where Delve inverts the standard compliance structure. Instead of an independent auditor conducting examinations, DeepDelver claims the startup pre-generates auditor conclusions, test procedures, and final reports. This practice, they argue, positions Delve as both implementer and examiner, constituting what they call a structural fraud that invalidates any attestation. The anonymous author specifically names two audit firms, Accorp and Gradient, described as part of the same operation based primarily in India, which they allege automatically approve Delve’s pre-prepared documentation.
Furthermore, DeepDelver accuses Delve of enabling clients to mislead the public by hosting trust pages that list security measures never actually implemented. Their own company has since unpublished its trust page and severed ties with the startup.
In its official response, Delve firmly rejects these characterizations. The company states it does not issue compliance reports but operates as an automation platform that organizes client information for auditor access. It emphasizes that final reports and opinions are issued solely by independent, licensed auditors. Delve also clarifies that clients are free to choose their own auditor or select one from the startup’s network of accredited third-party firms, which it describes as established industry partners.
Addressing the “fake evidence” charge, Delve explains it provides draft templates to help teams document processes, a common industry practice, and distinguishes these from “pre-filled evidence.” The company confirms it is actively investigating the alleged data leaks and is reviewing the Substack post in detail. Attempts to reach Delve through its listed media contact were unsuccessful, as the email address bounced. Requests for additional comment sent to DeepDelver have not yet been returned.
(Source: TechCrunch)
