Anonymously Accused Compliance Startup Delve of Misleading Customers

An anonymous Substack post recently made allegations against compliance startup Delve, claiming that the company had misled “hundreds of customers” into believing they were compliant with privacy and security regulations. The post suggested that this could potentially expose customers to criminal liability under HIPAA and hefty fines under GDPR.

Delve, a Y Combinator-backed startup that raised a $32 million Series A funding round last year, refuted these accusations on its blog. The startup called the Substack post “misleading” and stated that it contained “inaccurate claims.”

The post, credited to “DeepDelver,” claimed to be from a former Delve client. DeepDelver recounted receiving an email in December alleging that Delve had leaked a confidential client report spreadsheet. Despite Delve CEO Karun Kaushik’s assurance that they were in compliance and no external party had accessed sensitive data, DeepDelver and other customers became suspicious.

According to DeepDelver, Delve achieved compliance by producing fake evidence, generating auditor conclusions on behalf of certification mills, and skipping major framework requirements while assuring clients they had achieved full compliance.

DeepDelver also alleged that most of Delve’s clients had audits conducted by two firms, Accorp and Gradient, which they claimed were part of the same operation. These firms, primarily operating in India with only nominal presence in the US, were accused of rubber-stamping reports generated by Delve.

Delve was accused of inverting the compliance structure by generating auditor conclusions and reports before any independent review, thus invalidating the attestation process.

DeepDelver also claimed that Delve helped customers mislead the public by hosting trust pages containing security measures that were never implemented.

Despite receiving gifts from Delve, DeepDelver’s employer reportedly unpublished its trust page and no longer relies on Delve for compliance.

In response to the accusations, Delve clarified that it does not issue compliance reports but functions as an automation platform that provides auditors access to compliance information. Final reports and opinions are issued solely by independent, licensed auditors, not by Delve.

Delve stated that its customers can choose to work with auditors of their choice or from Delve’s network of independent, accredited third-party audit firms, widely used in the industry.

Regarding allegations of providing fake evidence, Delve explained that they offer templates to help teams document processes in compliance with requirements, similar to other compliance platforms.

Delve is actively investigating any leaks and reviewing the Substack post following these accusations.

After the initial Substack post, a user named James Zhou claimed to have accessed sensitive information from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared further details on security vulnerabilities in Delve’s external attack surface.

TechCrunch reached out to Delve for additional comment, but the media contact email bounced. However, a calendar invite for a “Delve demo” was received. TechCrunch also contacted DeepDelver for further comments.

This article has been updated with additional information on security vulnerabilities provided by Jamieson O’Reilly and further details on Delve’s response to TechCrunch.