Delve Splits from Y Combinator Amid Struggles
▼ Summary
– Y Combinator has removed Delve from its portfolio and website, with the startup’s COO confirming the two have parted ways.
– An anonymous source named DeepDelver has accused Delve of misleading clients about compliance and improperly using an open-source tool.
– Delve’s leadership claims these accusations are part of a malicious smear campaign from an attacker who stole company data.
– The company is taking steps to reassure customers, including offering re-audits and cutting ties with substandard auditing firms.
– Another investor, Insight Partners, also previously distanced itself from Delve, though later restored a related blog post.
The compliance software company Delve has officially separated from the prominent startup accelerator Y Combinator. The firm is no longer featured in YC’s public portfolio directory, and its dedicated page has been removed from the accelerator’s website. Delve’s Chief Operating Officer, Selin Kocalar, confirmed the split in a social media post, expressing gratitude for the YC community and the experience that began with an interview at MIT. This development follows a pattern of investor unease, as Insight Partners also temporarily removed online content referencing its investment in the startup.
The departure coincides with a sustained public relations challenge for Delve, which is vigorously contesting a series of damaging anonymous allegations. A source using the pseudonym DeepDelver has published multiple posts accusing the company of misleading clients about their compliance status. These claims suggest Delve bypassed essential regulatory requirements and utilized certification mills to approve auto-generated reports. The anonymous critic, who identifies as a former customer, states their suspicions were triggered by receiving leaked internal data about Delve’s clientele.
Subsequent posts from DeepDelver included purported internal company communications and video, along with an accusation that Delve improperly repurposed an open-source tool without proper attribution or developer agreement. An unrelated security researcher also reported accessing sensitive Delve information. The situation grew more complex when malware was discovered in an open-source project developed by LiteLLM, a company that is a Delve customer.
In a detailed public response, Delve’s leadership has framed the controversy as a malicious attack rather than legitimate whistleblowing. CEO Karun Kaushik and COO Selin Kocalar stated they have engaged a cybersecurity firm to investigate and believe an attacker purchased their service under false pretenses to steal and weaponize internal data. They provided a screenshot allegedly showing the exfiltration of an audit tracking spreadsheet as part of what they call a coordinated smear campaign.
The executives dismissed the specific criticisms as a blend of fabricated claims and cherry-picked data. They countered the open-source allegation by noting their work was based on an Apache 2.0 licensed repository, which permits commercial use, and that they significantly rebuilt the tool for compliance applications. Acknowledging that their rapid growth led to shortcomings, Kaushik publicly apologized to customers for any inconvenience.
To rebuild trust, Delve has outlined several corrective actions. The company says it is purging its network of auditing partners that fail to meet its standards, offering complimentary re-audits and penetration tests to all active clients, and clarifying that its provided templates are intended only as starting points for customer use. As the company navigates this crisis, its former backer Y Combinator has chosen to sever its official ties.
(Source: TechCrunch)
