{"id":3488565,"date":"2026-03-22T14:43:51","date_gmt":"2026-03-22T14:43:51","guid":{"rendered":"https:\/\/techingeek.com\/index.php\/2026\/03\/22\/delve-charged-with-deceiving-clients-through-false-compliance\/"},"modified":"2026-03-22T14:43:51","modified_gmt":"2026-03-22T14:43:51","slug":"delve-charged-with-deceiving-clients-through-false-compliance","status":"publish","type":"post","link":"https:\/\/techingeek.com\/index.php\/2026\/03\/22\/delve-charged-with-deceiving-clients-through-false-compliance\/","title":{"rendered":"Delve charged with deceiving clients through \u2018false compliance\u2019"},"content":{"rendered":"
<\/div>\n

A Substack post released this week anonymously accuses the compliance startup Delve of \u201cmisleadingly\u201d assuring \u201chundreds of customers they were compliant\u201d with privacy and security regulations, which could lead to \u201ccriminal liability under HIPAA and significant fines under GDPR.\u201d<\/p>\n

Delve is a startup backed by Y Combinator that last year declared it had raised a $32 million Series A at a $300 million valuation. (The funding round was led by Insight Partners.) On Friday, the startup made efforts to counter the allegations on its blog, labeling the Substack post as \u201cmisleading\u201d and asserting it \u201ccontains several inaccurate assertions.\u201d<\/p>\n

The Substack post is attributed to \u201cDeepDelver,\u201d who identified themselves as an employee of a (now former) client of Delve.\u00a0When responding to emailed inquiries from TechCrunch, DeepDelver stated that they and their associates \u201cdecided to stay anonymous due to concerns of retaliation from Delve.\u201d<\/p>\n

In their narrative, DeepDelver recalled receiving an email in December alleging that the startup had \u201cshared a spreadsheet containing confidential client documents.\u201d While Delve CEO Karun Kaushik reportedly reassured customers in a follow-up email that they were compliant and that no outside party accessed sensitive information, DeepDelver indicated that they and other clients had grown wary.<\/p>\n

\u201cHaving a common experience of feeling disappointed with the Delve interaction and sensing something suspicious, we decided to collaborate and investigate collectively,\u201d they stated.<\/p>\n

Their finding? That Delve \u201cclaims to be the quickest platform by fabricating evidence, generating auditor conclusions on behalf of certification companies that rubber stamp reports, and bypassing significant framework prerequisites while assuring clients they\u2019ve attained 100% compliance.\u201d<\/p>\n

DeepDelver elaborated on these claims, alleging that the startup provided clients with \u201cfake documentation of board meetings, tests, and processes that never took place,\u201d then compelling those clients to \u201cchoose between using fake documentation or conducting mostly manual tasks with minimal genuine automation or AI.\u201d<\/p>\n

\n
\n

Techcrunch event<\/p>\n

\n

\n\t\t\t\t\t\t\t\t\tSan Francisco, CA<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\tOctober 13-15, 2026<\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

DeepDelver also asserted that nearly all of Delve\u2019s clients appear to have passed through two auditing firms, Accorp and Gradient, which they referred to as \u201cpart of the same operation,\u201d primarily functioning in India, with only a nominal presence in the U.S.<\/p>\n

These firms, they claimed, merely rubber-stamp reports produced by Delve. Consequently, DeepDelver stated the startup \u201creverses\u201d the conventional compliance structure: \u201cBy creating auditor conclusions, test processes, and final reports before any independent evaluation takes place, Delve positions itself as both the implementer and examiner. This is not a minor detail. It represents a structural fraud that nullifies the entire attestation.\u201d<\/p>\n

Apart from accusing Delve of misleading its clients, DeepDelver indicated that the startup is enabling those clients to \u201cmislead the public by maintaining trust pages that include security measures that were never enacted.\u201d\u00a0<\/p>\n

DeepDelver mentioned that while their organization was voicing concerns about Delve, the startup \u201csent us numerous boxes of donuts [\u2026] to keep us satisfied.\u201d Nevertheless, DeepDelver’s employer reportedly unpublished its trust page and has ceased relying on the startup for compliance.<\/p>\n

In response to the allegations, Delve stated that it does not produce compliance reports at all. Instead, it operates as an \u201cautomation platform\u201d that aggregates compliance information and provides auditors with access to that data.<\/p>\n

\u201cFinal reports and opinions are issued exclusively by independent, licensed auditors, not Delve,\u201d the company asserted.<\/p>\n

Delve further indicated that its clients \u201ccan select to partner with an auditor of their preference or opt to work with one from Delve\u2019s network of independent, accredited third-party audit firms.\u201d Those auditors, the startup noted, are \u201cestablished firms widely recognized across the industry, including by other compliance platforms.\u201d<\/p>\n

In refuting the allegation of providing clients with \u201cfake evidence,\u201d Delve responded that it is merely offering \u201ctemplates to assist teams in documenting their processes in line with compliance requirements, as do other compliance providers.\u201d<\/p>\n

\u201cDraft templates differ from \u2018pre-filled evidence,\u2019\u201d the company stated.<\/p>\n

Delve added that it is \u201cactively examining any leaks\u201d and is \u201ccontinuing to review the Substack.\u201d<\/p>\n

When asked about Delve\u2019s rebuttal, DeepDelver expressed to TechCrunch that they were \u201cconfounded by the sloppiness, awkwardness, and boldness of it.\u201d<\/p>\n

\u201cThey are trying to slither out [of] accountability by denying they have \u2018pre-filled evidence\u2019 but labeling it as \u2018templates\u2019 instead, effectively placing the responsibility on clients for adopting the \u2018templates\u2019 as is,\u201d DeepDelver stated. \u201cThey\u2019re asserting that they are not responsible for \u2018issuing\u2019 the report, which is easy to claim if you interpret issuing a report as providing the final endorsement.\u201d<\/p>\n

They added that there are \u201cseveral very serious allegations\u201d that Delve completely failed to address: \u201cThe India claim, the absence of AI (they only reference \u2018automations\u2019), and the trust (lol) page featuring controls that were never implemented.\u201d<\/p>\n

Evidently, DeepDelver is not finished with its critique, as it promised, \u201cPart II will follow shortly.\u201d<\/p>\n

Additionally, following the initial Substack post, a user named James Zhou on X stated they managed to access sensitive details from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O\u2019Reilly shared further insights from what O\u2019Reilly described as a discussion with Zhou about \u201cmultiple glaring security vulnerabilities in Delve\u2019s external attack surface.\u201d<\/p>\n

TechCrunch reached out via email for additional comments to the media contact provided on Delve\u2019s website. The email was undeliverable, but after this article was released, I received a calendar invitation for a \u201cDelve demonstration\u201d set for later this week.<\/p>\n

This article was initially published on March 21, 2026. It has been updated with emailed responses from DeepDelver, additional information regarding alleged security vulnerabilities provided by Jamieson O\u2019Reilly, and further details about Delve\u2019s reaction to TechCrunch.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/div>\n

A Substack post released this week anonymously accuses the compliance startup Delve of \u201cmisleadingly\u201d assuring \u201chundreds of customers they were compliant\u201d with privacy and security regulations, which could lead to \u201ccriminal liability under HIPAA and significant fines under GDPR.\u201d<\/p>\n

Delve is a startup backed by Y Combinator that last year declared it had raised a $32 million Series A at a $300 million valuation. (The funding round was led by Insight Partners.) On Friday, the startup made efforts to counter the allegations on its blog, labeling the Substack post as \u201cmisleading\u201d and asserting it \u201ccontains several inaccurate assertions.\u201d<\/p>\n

The Substack post is attributed to \u201cDeepDelver,\u201d who identified themselves as an employee of a (now former) client of Delve.\u00a0When responding to emailed inquiries from TechCrunch, DeepDelver stated that they and their associates \u201cdecided to stay anonymous due to concerns of retaliation from Delve.\u201d<\/p>\n

In their narrative, DeepDelver recalled receiving an email in December alleging that the startup had \u201cshared a spreadsheet containing confidential client documents.\u201d While Delve CEO Karun Kaushik reportedly reassured customers in a follow-up email that they were compliant and that no outside party accessed sensitive information, DeepDelver indicated that they and other clients had grown wary.<\/p>\n

\u201cHaving a common experience of feeling disappointed with the Delve interaction and sensing something suspicious, we decided to collaborate and investigate collectively,\u201d they stated.<\/p>\n

Their finding? That Delve \u201cclaims to be the quickest platform by fabricating evidence, generating auditor conclusions on behalf of certification companies that rubber stamp reports, and bypassing significant framework prerequisites while assuring clients they\u2019ve attained 100% compliance.\u201d<\/p>\n

DeepDelver elaborated on these claims, alleging that the startup provided clients with \u201cfake documentation of board meetings, tests, and processes that never took place,\u201d then compelling those clients to \u201cchoose between using fake documentation or conducting mostly manual tasks with minimal genuine automation or AI.\u201d<\/p>\n

\n
\n

Techcrunch event<\/p>\n

\n

\n\t\t\t\t\t\t\t\t\tSan Francisco, CA<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\tOctober 13-15, 2026<\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

DeepDelver also asserted that nearly all of Delve\u2019s clients appear to have passed through two auditing firms, Accorp and Gradient, which they referred to as \u201cpart of the same operation,\u201d primarily functioning in India, with only a nominal presence in the U.S.<\/p>\n

These firms, they claimed, merely rubber-stamp reports produced by Delve. Consequently, DeepDelver stated the startup \u201creverses\u201d the conventional compliance structure: \u201cBy creating auditor conclusions, test processes, and final reports before any independent evaluation takes place, Delve positions itself as both the implementer and examiner. This is not a minor detail. It represents a structural fraud that nullifies the entire attestation.\u201d<\/p>\n

Apart from accusing Delve of misleading its clients, DeepDelver indicated that the startup is enabling those clients to \u201cmislead the public by maintaining trust pages that include security measures that were never enacted.\u201d\u00a0<\/p>\n

DeepDelver mentioned that while their organization was voicing concerns about Delve, the startup \u201csent us numerous boxes of donuts [\u2026] to keep us satisfied.\u201d Nevertheless, DeepDelver’s employer reportedly unpublished its trust page and has ceased relying on the startup for compliance.<\/p>\n

In response to the allegations, Delve stated that it does not produce compliance reports at all. Instead, it operates as an \u201cautomation platform\u201d that aggregates compliance information and provides auditors with access to that data.<\/p>\n

\u201cFinal reports and opinions are issued exclusively by independent, licensed auditors, not Delve,\u201d the company asserted.<\/p>\n

Delve further indicated that its clients \u201ccan select to partner with an auditor of their preference or opt to work with one from Delve\u2019s network of independent, accredited third-party audit firms.\u201d Those auditors, the startup noted, are \u201cestablished firms widely recognized across the industry, including by other compliance platforms.\u201d<\/p>\n

In refuting the allegation of providing clients with \u201cfake evidence,\u201d Delve responded that it is merely offering \u201ctemplates to assist teams in documenting their processes in line with compliance requirements, as do other compliance providers.\u201d<\/p>\n

\u201cDraft templates differ from \u2018pre-filled evidence,\u2019\u201d the company stated.<\/p>\n

Delve added that it is \u201cactively examining any leaks\u201d and is \u201ccontinuing to review the Substack.\u201d<\/p>\n

When asked about Delve\u2019s rebuttal, DeepDelver expressed to TechCrunch that they were \u201cconfounded by the sloppiness, awkwardness, and boldness of it.\u201d<\/p>\n

\u201cThey are trying to slither out [of] accountability by denying they have \u2018pre-filled evidence\u2019 but labeling it as \u2018templates\u2019 instead, effectively placing the responsibility on clients for adopting the \u2018templates\u2019 as is,\u201d DeepDelver stated. \u201cThey\u2019re asserting that they are not responsible for \u2018issuing\u2019 the report, which is easy to claim if you interpret issuing a report as providing the final endorsement.\u201d<\/p>\n

They added that there are \u201cseveral very serious allegations\u201d that Delve completely failed to address: \u201cThe India claim, the absence of AI (they only reference \u2018automations\u2019), and the trust (lol) page featuring controls that were never implemented.\u201d<\/p>\n

Evidently, DeepDelver is not finished with its critique, as it promised, \u201cPart II will follow shortly.\u201d<\/p>\n

Additionally, following the initial Substack post, a user named James Zhou on X stated they managed to access sensitive details from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O\u2019Reilly shared further insights from what O\u2019Reilly described as a discussion with Zhou about \u201cmultiple glaring security vulnerabilities in Delve\u2019s external attack surface.\u201d<\/p>\n

TechCrunch reached out via email for additional comments to the media contact provided on Delve\u2019s website. The email was undeliverable, but after this article was released, I received a calendar invitation for a \u201cDelve demonstration\u201d set for later this week.<\/p>\n

This article was initially published on March 21, 2026. It has been updated with emailed responses from DeepDelver, additional information regarding alleged security vulnerabilities provided by Jamieson O\u2019Reilly, and further details about Delve\u2019s reaction to TechCrunch.<\/em><\/p>\n","protected":false},"author":2,"featured_media":3488566,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3488565","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/posts\/3488565"}],"collection":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/comments?post=3488565"}],"version-history":[{"count":0,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/posts\/3488565\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/media\/3488566"}],"wp:attachment":[{"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/media?parent=3488565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/categories?post=3488565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techingeek.com\/index.php\/wp-json\/wp\/v2\/tags?post=3488565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}