Uncovering the Truth: Exposing Delve’s Deceptive Compliance Practices

Anonymous Accusations Against Compliance Startup Delve

Recently, an anonymous Substack post made waves by accusing compliance startup Delve of misleading hundreds of customers into believing they were compliant with privacy and security regulations. This potentially exposed these customers to legal trouble under HIPAA and GDPR.

Delve, a Y Combinator-backed startup, raised a significant Series A funding last year. In response to the accusations, the startup defended itself on its blog, labeling the Substack post as “misleading” and refuting the claims made.

The post, attributed to “DeepDelver,” claimed to be from a former Delve client. DeepDelver expressed concerns about Delve’s practices, including allegedly providing fake evidence of compliance and manipulating audit processes.

According to DeepDelver, Delve utilized fabricated evidence and questionable practices to give the impression of compliance. They alleged that Delve’s clients were misled into believing they had met all requirements when, in reality, important framework requirements were skipped.

DeepDelver also raised concerns about the audit firms used by Delve, suggesting that these firms were merely rubber-stamping reports generated by the startup. They accused Delve of essentially acting as both implementer and examiner, casting doubt on the legitimacy of the compliance attestation process.

In response to the accusations, Delve clarified that it does not issue compliance reports but serves as an automation platform that assists auditors by providing access to compliance-related information. The company emphasized that final reports and opinions are issued solely by independent auditors, not by Delve.

Delve refuted claims of providing fake evidence, stating that they offer templates to help teams document their processes in line with compliance requirements. The company asserted that these templates are not pre-filled evidence but rather tools to aid in compliance documentation.

DeepDelver criticized Delve’s response, calling it lazy and attempting to shift blame onto customers. They highlighted serious allegations that Delve failed to address, including concerns about the company’s operations in India, the lack of AI utilization, and discrepancies in trust page information.

Following the initial accusations, further claims were made by a user named James Zhou, who alleged gaining access to sensitive information from Delve. Additionally, Jamieson O’Reilly of Dvuln shared details of security vulnerabilities in Delve’s systems.

TechCrunch reached out to Delve for additional comment, but the response was unavailable. However, a “Delve demo” invitation was received after the publication of the article.

This article was first published on March 21, 2026, and has been updated with responses from DeepDelver, details on security vulnerabilities from Jamieson O’Reilly, and additional information on Delve’s stance.