Delve Faces Anonymous Fraud Allegations Over Compliance Practices and Security Gaps

New updates have been reported about Delve.

Compliance startup Delve is under scrutiny after an anonymous Substack post by a purported former client accused the company of falsely assuring hundreds of customers that they were compliant with regulations such as HIPAA and GDPR, potentially exposing them to criminal and financial penalties. The post, authored under the pseudonym “DeepDelver,” alleges Delve fabricates evidence, orchestrates rubber‑stamped audits, and misleads the market with trust pages describing security controls that were never implemented.

Delve, which raised a $32 million Series A at a $300 million valuation led by Insight Partners, has publicly rejected the claims as misleading and inaccurate, stating it is an automation platform that aggregates compliance data and provides it to independent, licensed auditors who alone issue formal reports. The company says customers may use any auditor or select from Delve’s network of accredited third parties and insists that what critics call “fake evidence” are standard templates to help clients document processes, not pre‑filled attestations. DeepDelver disputes this characterization, calling Delve’s response evasive and asserting that key allegations—such as heavy reliance on India‑based audit operations, limited use of true AI, and unimplemented controls on trust pages—remain unanswered.

The Substack post also claims Delve’s model structurally undermines compliance by having the platform generate auditor conclusions, test procedures, and draft reports ahead of any independent review, effectively placing Delve in the role of both implementer and examiner and invalidating attestations. Separately, an X user, James Zhou, alleged they could access sensitive Delve‑related information, including employee background checks and equity vesting data, with security researcher Jamieson O’Reilly amplifying concerns about major weaknesses in Delve’s external attack surface. Delve says it is actively investigating potential data leaks and continues to review the Substack claims, while the anonymous critics promise a follow‑up post, raising the likelihood of continued reputational, regulatory, and customer‑trust risks for the company and its investors.