Delve faces detailed fraud and security allegations as it defends compliance model

New updates have been reported about Delve.

Compliance startup Delve is under scrutiny after an anonymous Substack post by a purported former client accused the company of misleading hundreds of customers about their privacy and security compliance status, potentially exposing them to HIPAA criminal liability and substantial GDPR fines. The Y Combinator-backed firm, which raised a $32 million Series A at a $300 million valuation in 2023, has publicly rejected the claims as misleading and inaccurate.

The whistleblower, writing under the pseudonym “DeepDelver,” alleges that Delve’s promise of rapid compliance is achieved by generating fake or pre-constructed evidence, crafting auditor conclusions for so-called certification mills, and skipping key framework requirements while assuring clients they are fully compliant. According to the post, Delve allegedly produced fabricated records of board meetings, tests, and processes, effectively forcing customers to choose between using this questionable evidence or reverting to largely manual workflows with limited automation.

The Substack further claims that most Delve customers were funneled to two audit firms, Accorp and Gradient, described as operating primarily from India with only nominal U.S. presence, and allegedly “rubber-stamping” reports generated by Delve. This structure, the author says, inverts standard compliance practice by putting Delve in the dual role of implementer and examiner, which they characterize as a structural fraud that undermines the validity of the resulting attestations and associated public trust pages.

DeepDelver also contends that Delve enables clients to misrepresent their security posture by hosting trust pages that list controls and measures that were never actually implemented, prompting at least one customer to unpublish its trust page and discontinue reliance on Delve. The post describes how Delve allegedly attempted soft damage control with gestures such as sending boxes of donuts while the client raised concerns, a detail that underscores tensions in the customer relationship.

Delve has responded by emphasizing that it does not issue compliance reports itself but instead operates as an automation platform that ingests evidence and provides auditors with access to customer data. The company asserts that final opinions and reports are produced solely by independent, licensed auditors, and says customers may either use their own auditors or select from Delve’s network of third-party firms that it describes as established and widely used across the industry.

Addressing the accusation of fabricated evidence, Delve says it only offers templates designed to help customers document processes in line with compliance requirements and maintains that these drafts are not equivalent to pre-filled or falsified evidence. The startup also stated it is actively investigating any potential data leaks and continues to review the Substack allegations, signaling that its internal risk, legal, and security teams are likely engaged in a detailed assessment of exposure.

The reputational risk expanded when an X user, James Zhou, claimed to have accessed sensitive Delve-related information, including employee background checks and equity vesting schedules, suggesting possible weaknesses in Delve’s own security controls. Security firm founder Jamieson O’Reilly amplified these claims by reporting additional details about what he described as major security gaps on Delve’s external attack surface, raising questions about the robustness of a platform that sells compliance and security automation.

For executives, the situation poses material risks around customer churn, regulatory scrutiny, litigation exposure, and future fundraising, given Delve’s positioning as a trusted compliance infrastructure provider. TechCrunch reported difficulty reaching Delve via its listed media contact, though it did receive a product demo invitation, and has also sought further comment from the whistleblower, suggesting that both the factual record and the market’s perception of Delve’s controls and governance are still evolving and may significantly affect the company’s trajectory.