A Substack post released this week anonymously accuses the compliance startup Delve of “misleadingly” assuring “hundreds of customers they were compliant” with privacy and security regulations, which could lead to “criminal liability under HIPAA and significant fines under GDPR.”

Delve is a startup backed by Y Combinator that last year declared it had raised a $32 million Series A at a $300 million valuation. (The funding round was led by Insight Partners.) On Friday, the startup made efforts to counter the allegations on its blog, labeling the Substack post as “misleading” and asserting it “contains several inaccurate assertions.”

The Substack post is attributed to “DeepDelver,” who identified themselves as an employee of a (now former) client of Delve. When responding to emailed inquiries from TechCrunch, DeepDelver stated that they and their associates “decided to stay anonymous due to concerns of retaliation from Delve.”

In their narrative, DeepDelver recalled receiving an email in December alleging that the startup had “shared a spreadsheet containing confidential client documents.” While Delve CEO Karun Kaushik reportedly reassured customers in a follow-up email that they were compliant and that no outside party accessed sensitive information, DeepDelver indicated that they and other clients had grown wary.

“Having a common experience of feeling disappointed with the Delve interaction and sensing something suspicious, we decided to collaborate and investigate collectively,” they stated.

Their finding? That Delve “claims to be the quickest platform by fabricating evidence, generating auditor conclusions on behalf of certification companies that rubber stamp reports, and bypassing significant framework prerequisites while assuring clients they’ve attained 100% compliance.”

DeepDelver elaborated on these claims, alleging that the startup provided clients with “fake documentation of board meetings, tests, and processes that never took place,” then compelling those clients to “choose between using fake documentation or conducting mostly manual tasks with minimal genuine automation or AI.”

DeepDelver also asserted that nearly all of Delve’s clients appear to have passed through two auditing firms, Accorp and Gradient, which they referred to as “part of the same operation,” primarily functioning in India, with only a nominal presence in the U.S.

These firms, they claimed, merely rubber-stamp reports produced by Delve. Consequently, DeepDelver stated the startup “reverses” the conventional compliance structure: “By creating auditor conclusions, test processes, and final reports before any independent evaluation takes place, Delve positions itself as both the implementer and examiner. This is not a minor detail. It represents a structural fraud that nullifies the entire attestation.”

Apart from accusing Delve of misleading its clients, DeepDelver indicated that the startup is enabling those clients to “mislead the public by maintaining trust pages that include security measures that were never enacted.” 

DeepDelver mentioned that while their organization was voicing concerns about Delve, the startup “sent us numerous boxes of donuts […] to keep us satisfied.” Nevertheless, DeepDelver’s employer reportedly unpublished its trust page and has ceased relying on the startup for compliance.

In response to the allegations, Delve stated that it does not produce compliance reports at all. Instead, it operates as an “automation platform” that aggregates compliance information and provides auditors with access to that data.

“Final reports and opinions are issued exclusively by independent, licensed auditors, not Delve,” the company asserted.

Delve further indicated that its clients “can select to partner with an auditor of their preference or opt to work with one from Delve’s network of independent, accredited third-party audit firms.” Those auditors, the startup noted, are “established firms widely recognized across the industry, including by other compliance platforms.”

In refuting the allegation of providing clients with “fake evidence,” Delve responded that it is merely offering “templates to assist teams in documenting their processes in line with compliance requirements, as do other compliance providers.”

“Draft templates differ from ‘pre-filled evidence,’” the company stated.

Delve added that it is “actively examining any leaks” and is “continuing to review the Substack.”

When asked about Delve’s rebuttal, DeepDelver expressed to TechCrunch that they were “confounded by the sloppiness, awkwardness, and boldness of it.”

“They are trying to slither out [of] accountability by denying they have ‘pre-filled evidence’ but labeling it as ‘templates’ instead, effectively placing the responsibility on clients for adopting the ‘templates’ as is,” DeepDelver stated. “They’re asserting that they are not responsible for ‘issuing’ the report, which is easy to claim if you interpret issuing a report as providing the final endorsement.”

They added that there are “several very serious allegations” that Delve completely failed to address: “The India claim, the absence of AI (they only reference ‘automations’), and the trust (lol) page featuring controls that were never implemented.”

Evidently, DeepDelver is not finished with its critique, as it promised, “Part II will follow shortly.”

Additionally, following the initial Substack post, a user named James Zhou on X stated they managed to access sensitive details from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared further insights from what O’Reilly described as a discussion with Zhou about “multiple glaring security vulnerabilities in Delve’s external attack surface.”

TechCrunch reached out via email for additional comments to the media contact provided on Delve’s website. The email was undeliverable, but after this article was released, I received a calendar invitation for a “Delve demonstration” set for later this week.

This article was initially published on March 21, 2026. It has been updated with emailed responses from DeepDelver, additional information regarding alleged security vulnerabilities provided by Jamieson O’Reilly, and further details about Delve’s reaction to TechCrunch.