A Y Combinator-backed compliance startup called Delve is facing accusations that it fabricated audit evidence, generated fraudulent compliance reports, and left hundreds of customers exposed to regulatory liability — charges the company flatly denies.
The accusations come from an anonymous Substack post authored by someone calling themselves “DeepDelver,” who described themselves as a former client. According to the post, Delve “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.” The author said they and collaborators pooled resources to investigate after growing suspicious following a reported data leak in December, in which the startup allegedly leaked a spreadsheet containing confidential client reports.
DeepDelver claims the startup provided customers with “fabricated evidence of board meetings, tests, and processes that never happened,” then pressured those customers to either adopt the fake evidence or perform largely manual compliance work themselves. The post warns this exposure could result in “criminal liability under HIPAA and hefty fines under GDPR.”
The structural accusation is the sharpest. DeepDelver alleges that Delve effectively placed itself in both the implementer and examiner roles — generating auditor conclusions, test procedures, and final reports before any independent review occurred. “This is not a technicality,” the post states. “It is a structural fraud that invalidates the entire attestation.” The post also claims nearly all of the startup’s clients passed through just two audit firms, Accorp and Gradient, described as “part of the same operation” based primarily in India with minimal U.S. presence, and accused of rubber-stamping reports produced by Delve itself.
DeepDelver said the anonymous authors stayed unnamed “out of fear for retaliation by Delve.” Their own employer, they said, has since unpublished its trust page and stopped using the platform — after, they noted, the startup sent multiple boxes of donuts while complaints were being discussed.
Delve Pushes Back
The company posted a rebuttal on its blog Friday, calling the Substack post “misleading” and saying it “contains a number of inaccurate claims.” Delve says it does not issue compliance reports at all. The firm describes itself as an automation platform that ingests compliance-related information and surfaces it for auditors — with final reports and opinions issued “solely by independent, licensed auditors, not Delve.”
Delve raised a $32 million Series A last year at a $300 million valuation, according to the announcement, with the round led by Insight Partners. That fundraise now sits as backdrop to accusations that go to the core of what the product actually delivers.
What Remains Unresolved
The competing accounts leave a direct factual dispute: DeepDelver says Delve generates the auditor conclusions itself; the company says independent auditors retain full control. Neither side has produced documentation publicly. CEO Karun Kaushik reportedly emailed clients following the December spreadsheet incident to assure them no external party accessed sensitive data and that their compliance standing was unaffected — an assurance DeepDelver says prompted their investigation rather than ending it.
DeepDelver also accuses the startup of helping clients “mislead the public by hosting trust pages that contain security measures that were never implemented.”
Photo by Leeloo The First on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
