An anonymous Substack post published this week accused startup Delve of “falsely” convincing “hundreds of customers that they were in compliance” with privacy and security laws, potentially exposing those customers to “criminal liability under HIPAA and significant fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced a $32 million Series A raise at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup tried to refute the allegations on its blog, calling Substack’s post “misleading” and saying it “contains numerous inaccurate claims.”
The Substack post was attributed to “DeepDelver,” who described themselves as working for the (now former) Delve client.
DeepDelver also recounted receiving an email in December saying the startup had “leaked a spreadsheet with confidential customer reports.” While Delve CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no outsiders had gained access to sensitive data, DeepDelver said they and other customers have become suspicious.
“Having a shared experience of frustration with the Delve experience, and feeling that something was going on, we decided to pool resources and investigate together,” they wrote.
Their fate? Delve that “fulfills its claim of being the fastest platform by generating false positives, issuing auditor’s conclusions on behalf of certification mills that rubber stamp reports, and bypassing major regulatory requirements while telling customers to achieve 100% compliance.”
DeepDelver went into more detail about those claims, accusing the startup of providing customers with “fictitious evidence of board meetings, tests, and processes that never happened,” and then forcing those customers to “choose between accepting false testimony or doing manual labor with little automation or AI.”
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
DeepDelver also said that almost all of Delve’s clients appear to have gone through two auditing firms, Accorp and Gradient, which they described as “part of the same practice,” operating mostly in India, with only a presence in the United States.
Those companies, they say, are just rubber-stamping reports created by Delve. Because of this, DeepDelver said that the startup is “transforming” the structure of standard compliance: “By making the auditor’s conclusions, evaluation procedures, and final reports before any independent review takes place, Deepve puts itself in the role of both the initiator and the auditor. This is not intelligence. It is structural fraud that invalidates all evidence.”
In addition to accusing Delve of misleading its customers, DeepDelver said the startup is helping those customers “mislead the public by hosting trust pages that contain security measures that have never been implemented.”
Regarding its relationship with Delve, DeepDelver said that their company does not publish its trust page and is no longer dependent on compliance enforcement.
Delve has responded to these allegations by saying that it does not issue compliance reports at all. Instead, it is an “automation platform” that imports information about compliance, and then provides auditors with access to that information.
“Final reports and opinions are issued only by independent, licensed auditors, not Delve,” the company said.
Delve also said that its clients “can choose to work with an auditor of their own choosing or choose to work with Delve’s network of independent, accredited third-party audit firms.” Those companies, the startups say, are “established firms that are widely used across the industry, including other compliance platforms.”
In response to accusations that it provides customers with “false proof,” Delve argued that it simply provides “templates to help teams document their processes according to compliance requirements, as do other compliance platforms.”
“Draft templates are not the same as ‘pre-filed proofs,'” the company said.
Delve added that it is “actively investigating any leaks” and “will continue to update Substack.”
TechCrunch sent an email seeking further comment to the media contact address listed on Delve’s website; email is closed. We’ve also reached out to DeepDelver for further comment.
