By Titik Puspa 
In a bombshell revelation published on an anonymous Substack post this week, compliance startup Delve, a prominent Y Combinator-backed company that recently secured a substantial $32 million Series A funding round at a $300 million valuation, is facing grave accusations of orchestrating a "fake compliance as a service" scheme. The anonymous author, writing under the pseudonym "DeepDelver," alleges that Delve has been systematically deceiving hundreds of its customers, falsely convincing them that they have achieved compliance with critical privacy and security regulations. This alleged deception, if true, could expose these businesses to severe consequences, including criminal liability under the Health Insurance Portability and Accountability Act (HIPAA) and substantial fines under the General Data Protection Regulation (GDPR).
The Substack post, penned by DeepDelver who claims to be a former employee of a now-former Delve client, paints a damning picture of the startup’s operations. The narrative begins with a disturbing incident in December, when DeepDelver’s organization received an email indicating that a spreadsheet containing confidential client reports had been leaked. While Delve CEO Karun Kaushik reportedly attempted to assuage customer fears in a subsequent email, assuring them of their compliant status and denying any external access to sensitive data, DeepDelver and other clients grew increasingly suspicious. This shared experience of dissatisfaction and a pervading sense of unease prompted DeepDelver and a group of other affected clients to pool their resources and conduct an independent investigation.
The findings of this investigation, as detailed in the Substack post, are deeply concerning. DeepDelver asserts that Delve achieves its purported speed in delivering compliance solutions by fabricating evidence, generating auditor conclusions on behalf of "certification mills" that merely rubber-stamp reports, and significantly omitting major framework requirements. All of this, DeepDelver claims, is done while assuring clients that they have attained 100% compliance. The post goes into granular detail about these accusations, alleging that Delve provides its customers with "fabricated evidence of board meetings, tests, and processes that never happened." Furthermore, clients are allegedly presented with a stark choice: either adopt this manufactured evidence or undertake substantial manual work, thereby undermining Delve’s promise of automation and AI-driven solutions.
A critical aspect of DeepDelver’s exposé focuses on the audit firms allegedly used by Delve’s clients. The post claims that virtually all of Delve’s customers appear to have engaged with two specific audit firms, Accorp and Gradient. DeepDelver describes these firms as being "part of the same operation," primarily based in India with only a nominal presence in the United States. The implication is that these firms are not independent arbiters of compliance but rather complicit partners in Delve’s alleged scheme, acting as mere rubber-stampers for reports generated by Delve. This arrangement, according to DeepDelver, fundamentally inverts the traditional compliance structure. By generating auditor conclusions, test procedures, and final reports before any independent review, Delve positions itself as both the implementer and the examiner. This, DeepDelver argues, is not a mere technicality but a "structural fraud that invalidates the entire attestation."
Beyond misleading its direct clients, DeepDelver also accuses Delve of facilitating the deception of the public. The startup is alleged to host "trust pages" that display security measures that have, in reality, never been implemented. In light of these findings, DeepDelver states that their own company has un-published its trust page and has ceased relying on Delve for compliance.
Delve, a company that last year garnered significant attention for its impressive funding round led by Insight Partners, has publicly responded to these serious allegations. In a blog post published on Friday, the startup vehemently denied the claims, labeling the Substack post as "misleading" and asserting that it "contains a number of inaccurate claims." Delve’s response seeks to clarify its role in the compliance ecosystem, stating that it does not issue compliance reports itself. Instead, the company describes itself as an "automation platform" that ingests compliance-related information and then provides auditors with access to this data.
"Final reports and opinions are issued solely by independent, licensed auditors, not Delve," the company emphasized in its rebuttal. Delve further elaborated that its customers have the option to work with an auditor of their own choosing or select one from Delve’s network of independent, accredited third-party audit firms. These firms, Delve maintains, are "established firms used broadly across the industry, including by other compliance platforms."
Regarding the accusation of providing "fake evidence," Delve countered that it offers "templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms." The company explicitly stated, "Draft templates are not the same as ‘pre-filled evidence.’" Delve also indicated that it is "actively investigating any leaks" and is "still reviewing the Substack."
The implications of DeepDelver’s accusations are far-reaching. For businesses operating in highly regulated sectors like healthcare, where HIPAA compliance is paramount, the failure to meet these standards can result in severe financial penalties, reputational damage, and even criminal charges for individuals involved. Similarly, companies subject to GDPR face the prospect of significant fines for data privacy violations. If Delve has indeed provided clients with a false sense of security and compliance, these businesses are now in a precarious position, potentially facing retrospective scrutiny and penalties.
The funding landscape for compliance technology has seen significant growth, with startups like Delve attracting substantial investment due to the increasing complexity of regulatory environments and the growing need for efficient compliance solutions. Y Combinator’s involvement, a prestigious accelerator known for backing successful startups, adds another layer of concern, as it often signifies a level of vetting and confidence in the companies it supports. Insight Partners, a prominent venture capital firm, leading Delve’s Series A round further underscores the perceived potential and market traction of the company prior to these allegations.
The nature of compliance itself is inherently trust-based. Businesses rely on the assurances provided by compliance platforms and audit firms to navigate complex legal frameworks and protect their customers’ data. The accusation that a platform designed to build this trust has instead fostered a culture of deception strikes at the core of the industry. The alleged involvement of specific audit firms, if proven to be a pattern of "rubber-stamping," raises serious questions about the integrity of the compliance audit process itself and the regulatory bodies that oversee it.
The Substack post’s detailed breakdown of Delve’s alleged methods – including the fabrication of documentation and the manipulation of audit processes – highlights a potential systemic issue rather than isolated incidents. The claim that Delve places itself in the dual role of implementer and examiner is a particularly alarming charge, as it bypasses the fundamental principle of independent oversight that underpins all compliance frameworks.
The news of these allegations comes at a time when data privacy and security remain at the forefront of global concerns. With increasing data breaches and evolving regulatory landscapes, the demand for robust and trustworthy compliance solutions is higher than ever. Companies are investing heavily in tools and services to ensure they meet their obligations, making the alleged deception by Delve particularly egregious.
TechCrunch, which originally reported on Delve’s Series A funding, has reached out for additional comment. However, an email sent to the media contact address listed on Delve’s website reportedly bounced, and further attempts to reach DeepDelver for additional comment are ongoing. The response from Delve, while a direct rebuttal, leaves many questions unanswered. The company’s assertion that it provides templates rather than "pre-filled evidence" needs to be scrutinized against the specific claims made by DeepDelver regarding fabricated documentation.
The situation underscores the critical need for due diligence and independent verification in the compliance technology sector. For businesses that have relied on Delve, the immediate priority will likely be to reassess their compliance posture, potentially engaging independent auditors to conduct thorough reviews of their implemented controls and documentation. The long-term implications for Delve, if the accusations are substantiated, could be severe, impacting its valuation, future funding prospects, and ultimately, its ability to operate. The regulatory bodies, such as the HHS for HIPAA and data protection authorities for GDPR, may also be compelled to investigate the alleged practices to ensure the integrity of compliance certifications and protect businesses and individuals from harm. The outcome of this unfolding situation will undoubtedly have a significant impact on the compliance technology landscape and the trust placed in such services.