Compliance Startup Faces Serious Allegations of Misrepresentation
An anonymous Substack post has emerged this week, accusing compliance startup Delve of misleading its clients by falsely assuring them of compliance with privacy and security regulations. These allegations suggest that hundreds of customers may be exposed to potential legal risks under the Health Insurance Portability and Accountability Act (HIPAA) and substantial fines under the General Data Protection Regulation (GDPR).
Delve’s Background and Recent Funding
Delve, a startup backed by Y Combinator, gained significant attention last year after announcing a $32 million Series A funding round, raising its valuation to $300 million. The investment round was led by Insight Partners. Following the backlash from the recent accusations, Delve issued a response on its blog, describing the Substack post as “misleading” and claiming it contains numerous inaccuracies.
The Anonymity of the Accuser Raises Concerns
Attributing the claims to a source known as “DeepDelver,” the author described their previous role at a now-former Delve client. In correspondence with TechCrunch, DeepDelver explained their decision to remain anonymous was motivated by fears of retaliation from Delve.
Investigations Prompted by Suspicion
DeepDelver recounted a troubling experience involving an email received in December alleging that Delve had leaked confidential client reports. Despite Delve CEO Karun Kaushik’s assurances to customers about compliance and the security of sensitive data, DeepDelver expressed growing skepticism and indicated a collective decision among clients to investigate the company’s practices.
Claims of Fabrication and Cheating the Compliance System
In their detailed account, DeepDelver made grave assertions regarding Delve’s operations. They accused the startup of producing fake evidence to satisfy compliance claims, claiming that Delve generates reports and auditor conclusions through unverified means. This practice, they argue, undermines the legitimacy of the compliance framework, putting customers at significant risk.
Anecdotes of Misleading Practices and Disconcerting Relationships
According to DeepDelver, nearly all of Delve’s clients have undergone audits by two firms, Accorp and Gradient, which DeepDelver labeled as interconnected operations primarily based in India. These firms are accused of merely rubber-stamping reports generated by Delve, blatantly flouting traditional compliance structures. DeepDelver also claimed the startup misleads clients by showcasing trust pages with security measures that were never enacted.
Delve’s Defense and Continued Investigation
In response to these serious allegations, Delve has maintained that it does not issue compliance reports itself. It insists that its role is to provide an automation platform that allows auditors to access relevant compliance information. Delve clarified that final reports and opinions are solely produced by independent, licensed auditors, reiterating that clients can choose auditors from its network or opt for an external firm of their preference.
Ongoing Challenges and A Promised Follow-Up
Despite Delve’s rebuttal, DeepDelver expressed disappointment in the startup’s response, asserting that it sidesteps accountability by labeling drafts as “templates” rather than pre-filled evidence. Furthermore, DeepDelver hinted that a follow-up exposé will be released soon to delve deeper into the issues raised. Meanwhile, security concerns have been amplified by another user on X, claiming to have accessed sensitive Delve data, including employee background checks and equity vesting schedules.
This article was originally published on March 21, 2026, and has been updated with responses from DeepDelver, security vulnerability details, and further information on Delve’s official stance.