Compliance startup Delve is under fire after a pseudonymous Substack report alleged the company misled “hundreds” of customers into believing they were fully compliant with data protection and security standards. The authors claim Delve’s tactics could expose clients to regulatory penalties under HIPAA and GDPR. Delve rejects the accusations, calling them misleading and insisting it does not issue compliance reports.
Backed by Y Combinator, Delve last year raised a $32 million Series A at a reported $300 million valuation, positioning itself as an automation layer for audits such as SOC 2, ISO 27001, HIPAA, and other frameworks. The new claims test the credibility of “compliance-as-a-service” platforms that promise faster attestations and AI-driven workflows.
What the allegations claim about Delve’s compliance tactics
The Substack authors, writing as DeepDelver, say they began investigating after hearing of a leaked spreadsheet containing confidential client reports. They allege Delve generated pre-baked evidence and auditor conclusions, routed customers through a narrow set of audit firms, and declared full compliance while skipping material controls.
One focal point is independence: the report asserts that most Delve customers were funneled to two firms, Accorp and Gradient, described as closely linked operations centered in India with limited U.S. presence. DeepDelver argues that allowing a platform to generate audit workpapers and purported conclusions before any independent review flips the assurance model and invalidates attestations.
The authors also accuse Delve of enabling public “trust pages” that list controls never implemented, and they recount receiving gestures—from pastries to repeated assurances—rather than remediation. Separately, a security researcher named James Zhou claimed access to sensitive internal data including employee background checks and equity records; an industry peer said Zhou described “gaping” exposure on the company’s external attack surface.
Delve’s response to the allegations and key criticisms
Delve denies issuing reports and frames itself purely as an automation platform that aggregates evidence for auditors. The company says final opinions are delivered by independent, licensed third parties, and customers may select any auditor or choose from Delve’s network. It characterizes the firms in its network as established providers used widely across the industry.
On the “fake evidence” charge, Delve says it provides templates to help customers document processes to meet framework requirements—no different from other compliance platforms. Templates, the company argues, are not pre-filled evidence and require clients to customize content. Delve also says it is investigating potential leaks and reviewing the Substack allegations.
DeepDelver counters that rebranding pre-populated artifacts as “templates” shifts responsibility onto customers while preserving the same outcome. The group also says Delve has not fully addressed questions about auditor relationships, the depth of its AI, or the accuracy of public-facing trust pages.
Why alleged ‘fake compliance’ practices pose serious risks
Frameworks like SOC 2 and ISO 27001 rely on independent assessment and evidence that is timely, complete, and tied to actual controls in operation. AICPA guidance warns against self-review threats where an auditor’s independence could be compromised by relying on management-driven or tool-generated conclusions. Shortcuts can leave material gaps in access control, incident response, change management, and board oversight.
The regulatory exposure is real. Under GDPR, EU authorities have issued multibillion-euro fines since 2018, including a €1.2 billion penalty against Meta for data transfer violations. HIPAA enforcement by the U.S. Department of Health and Human Services’ Office for Civil Rights regularly results in multimillion-dollar settlements tied to insufficient safeguards or misleading representations. In the U.S., the FTC has also taken action when companies overstate their security practices, as seen in cases against firms that misrepresented protections for consumer data.
Auditors and independence under heightened scrutiny
Not all attestation providers are equal. SOC 2 is not a government certification; it is an assurance report issued by licensed CPA firms subject to AICPA standards, quality control, and peer review. The firm’s geography is less important than its licensing, independence, and methodology. Customers should verify a firm’s credentials, peer-review status, and obtain a signed independence letter for each engagement.
Platform-driven, one-to-many audit funnels can raise perceived conflicts if tooling pre-populates workpapers, test procedures, or conclusions. Best practice is for platforms to provide read-only evidence collection and control mapping, while auditors design and execute procedures, examine raw artifacts, and document their own conclusions.
What to watch next as investigations and reviews unfold
DeepDelver says a second installment is coming. Expect customers to re-validate controls, pause or edit public trust pages, and seek independent retests. If the whistleblower claims about security exposures gain traction, they could draw interest from state attorneys general, data protection authorities, or HHS OCR, especially if alleged misstatements affected consumers or patients.
For now, companies using any compliance platform should run spot checks:
- Confirm risk assessments occurred and were approved.
- Verify board or leadership reviews of security and compliance.
- Sample access recertifications for key systems and roles.
- Tie change logs and deployment records to approved tickets.
- Retain native artifacts as evidence, not just summaries.
Templates can be a starting point, not a substitute for evidence. The line between smart automation and manufactured assurance is thin—and regulators, customers, and investors are watching who crosses it.
