Compliance startup Delve has been accused of misleading hundreds of customers by falsely convincing them they were compliant with privacy and security regulations, potentially exposing those customers to criminal liability under HIPAA and hefty fines under GDPR.
Delve, a Y Combinator-backed startup, last year announced raising a $32 million Series A at a $300 million valuation, led by Insight Partners. The startup has attempted to refute the accusations on its blog, calling the claims "misleading" and saying they "contain a number of inaccurate claims."
The accusations were made in an anonymous Substack post by "DeepDelver," who claims to have worked at a former Delve client. DeepDelver alleged that Delve "achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance."
The Accusations
DeepDelver claimed that Delve provides customers with "fabricated evidence of board meetings, tests, and processes that never happened," then forces those customers to "choose between adopting fake evidence or performing mostly manual work with little real automation or AI." The post also alleged that virtually all of Delve's clients seem to have gone through two audit firms, Accorp and Gradient, which are described as "part of the same operation" and "rubber-stamping reports that were generated by Delve."
Delve responded to the accusations by saying it does not issue compliance reports at all, but rather is an "automation platform" that ingests information about compliance and provides auditors with access to that information. The company also said that its customers "can opt to work with an auditor of their choosing or opt to work with one from Delve's network of independent, accredited third-party audit firms."
Security Concerns
Following the initial Substack post, an X user named James Zhou claimed to have gained access to sensitive information from Delve, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O'Reilly shared more details from a conversation with Zhou about "several gaping security holes in Delve's external attack surface."
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve's website, but the email bounced. TechCrunch has also reached out to DeepDelver for additional comment.
