Anonymous Accusation Targeting Compliance Startup Delve
An anonymous post on Substack has accused compliance startup Delve of misleading its clients regarding their adherence to privacy and security regulations. The allegations suggest that Delve has falsely assured “hundreds of customers” of their compliance, potentially exposing them to criminal liability under the Health Insurance Portability and Accountability Act (HIPAA) and significant fines under the General Data Protection Regulation (GDPR).
Delve’s Response to Serious Allegations
Delve, a startup backed by Y Combinator, raised $32 million in a Series A funding round last year, achieving a valuation of $300 million with leading investor Insight Partners. In an attempt to counter the claims made in the Substack post, Delve released a statement on its blog labeling the accusations as “misleading” and asserting the presence of “inaccurate claims.”
Behind the Accusations: Insights from a Former Client
The Substack post, authored by a user identified as “DeepDelver,” claims to be written by someone formerly associated with a Delve client. DeepDelver recounted a troubling email received in December, which alleged that Delve had leaked a spreadsheet containing confidential client reports. Despite assurances from CEO Karun Kaushik that compliance was maintained and no data breaches occurred, DeepDelver and other clients developed a sense of unease.
Collaboration Among Clients Sparks Investigation
Experiencing similar dissatisfaction, DeepDelver stated that clients decided to collaborate and investigate Delve’s practices. Their findings indicated that Delve often achieved its compliance claims through questionable means, alleging that the startup provided “fake evidence” of compliance, enlisted auditor conclusions from certification agencies that lacked proper oversight, and neglected essential regulatory framework requirements while asserting complete compliance.
Allegations of Fabricated Compliance Evidence
DeepDelver provided detailed claims that Delve had supplied fabricated documentation, including evidence of board meetings, tests, and processes that had never taken place. Customers were allegedly faced with the dilemma of either adopting this counterfeit evidence or engaging in predominantly manual efforts with minimal automation or genuine artificial intelligence integration.
Questionable Audit Practices and Client Misrepresentation
Moreover, DeepDelver alleged that nearly all of Delve’s clients had undergone audits through Accorp and Gradient, two firms described as part of a single operation primarily based in India, with minimal presence in the United States. It was claimed that these firms simply rubber-stamped reports produced by Delve, fundamentally undermining the typical compliance audit structure by allowing Delve to play the dual role of service provider and auditor, thus constituting a form of structural fraud.
Delve’s Clarification on Compliance Reporting
In reaction to these serious allegations, Delve emphasized that it does not provide compliance reports itself; instead, it serves as an “automation platform” that consolidates compliance information for auditors. Delve maintains that final reports and opinions are solely generated by independent, certified auditors rather than the company itself. Furthermore, Delve stated that clients have the option to select auditors independently or from a network of accredited third-party firms widely recognized in the compliance industry.
Defense Against Claims of Fake Evidence
Addressing the assertion of providing “fake evidence,” Delve clarified that it offers templates designed to assist clients in documenting processes as per compliance requirements, a common practice among compliance platforms. The company insists that providing draft templates does not equate to supplying pre-filled evidence. Additionally, Delve conveyed its commitment to investigating any possible information leaks and ongoing review of the Substack post.
Despite outreach efforts to Delve for further comments, correspondence bounced back, and attempts to contact DeepDelver for additional insights remain unanswered.