Delve Accused of Making Fake Compliance Claims

Gregory Zuckerman
By Gregory Zuckerman
Business
7 Min Read

Compliance automation startup Delve is under fire after an anonymous Substack post alleged the company misled customers with “fake compliance,” including fabricated evidence and rubber-stamped audit reports. The claims, if true, could expose clients to significant regulatory and legal risk, from GDPR fines to potential HIPAA penalties. Delve denies the allegations, calling the post inaccurate and asserting that independent auditors, not the company, issue final reports.

What the Allegations Say About Delve’s Practices

The whistleblower, identifying as a former customer, claims Delve generated auditor-style conclusions in advance, filled gaps with templated “evidence” for processes that never occurred, and routed most clients to a small set of audit firms that allegedly approved reports with minimal independent testing. Two firms, Accorp and Gradient, were singled out as frequent Delve partners — described by the poster as operating largely overseas while marketing a nominal U.S. footprint.

Table of Contents
Delve accused of fake compliance claims amid regulatory scrutiny

The core charge is structural: by producing conclusions and artifacts before an external review, Delve allegedly blurred the line between implementer and examiner. In regulated environments, that separation is not a nicety — it is a prerequisite for credible assurance. The post further claims Delve-hosted “trust pages” touted controls some customers had not implemented, raising the specter of public misrepresentation.

Delve’s Response to the Compliance Allegations

Delve rejects the accusations. The company says it is an automation platform that aggregates control data and provides auditors with access, while licensed, independent firms issue all opinions. Customers can select any auditor, Delve says, or pick from its network — which the company characterizes as established, industry-standard firms used by other compliance platforms.

On the “fake evidence” charge, Delve says it offers templates to help teams document policies and procedures, a common practice across compliance software. Draft templates, the company argues, are not pre-filled evidence and do not replace actual testing. Delve also says it is investigating reports of a leaked spreadsheet and reviewing the whistleblower’s post.

Why Auditor Independence Matters for Assurance

At the heart of the dispute is independence — a baseline for attestations like SOC 2 and ISO 27001. Under AICPA standards, SOC 2 reports must be performed by licensed CPA firms with appropriate independence, documentation, and testing. If a platform effectively drafts conclusions and an auditor merely endorses them, the assurance value collapses.

The risks are not hypothetical. EU data protection authorities have issued cumulative multi‑billion‑euro GDPR fines since 2018, and the law allows penalties up to 4% of global annual turnover for the most serious violations. In the U.S., the HHS Office for Civil Rights has extracted multimillion‑dollar HIPAA settlements, and egregious misconduct can trigger criminal exposure. Separately, the FTC has brought actions against companies for overstating security controls, including cases involving misrepresented data protections.

The Delve logo, featuring the word Delve in a bold, sans-serif font next to a square icon with two diagonal white lines, presented on a professional flat design background with a subtle grey gradient and soft geometric patterns.

Trust Pages And The Line Between Marketing And Misrepresentation

Trust portals are now standard in sales cycles, offering evidence of encryption, access controls, incident response, and vendor risk practices. But these pages can overreach. If a company states that annual penetration tests, board-level risk reviews, or workforce training occurred when they did not, those claims can be construed as deceptive. In past enforcement actions, regulators have treated inaccurate security disclosures as consumer protection violations regardless of intent.

The whistleblower’s assertion that some Delve customers showcased controls they lacked — if verified — would put those firms, not just Delve, in the regulatory crosshairs. Even automated evidence collection requires rigorous scoping, human oversight, and change management to ensure representations stay accurate.

How This Controversy Hits a Hot Compliance Market

Delve, a Y Combinator alum that last year announced a $32 million Series A led by Insight Partners at a reported $300 million valuation, competes in a crowded field that includes Vanta, Drata, and Secureframe. These platforms promise faster audits, reduced manual toil, and continuous monitoring — goals many security teams welcome. But speed cannot substitute for independence or adequate testing, and auditor choice must be real, not nominal.

This controversy may prompt renewed scrutiny of how platforms generate evidence, how auditor networks are curated, and how far templates go before they become pre-written artifacts that bias conclusions.

What Customers Should Do Now to Reduce Risk

  • Validate your report provenance: confirm your auditor’s licensing, independence, and peer review status under AICPA programs; for ISO 27001, verify accreditation of the certification body.
  • Re-perform key tests: sample access reviews, logging configurations, backups, and change-management evidence without relying on platform-provided narratives. Ensure timestamps, approvers, and artifacts are verifiable.
  • Check public claims: audit trust pages and security FAQs against implemented controls. Remove or qualify any statement you cannot back with dated evidence.
  • Preserve documentation: maintain audit trails of who generated evidence, when, and via which systems. If templates were used, document edits and approvals.
  • Engage legal and privacy counsel: reassess GDPR and HIPAA risk posture, including data mapping, breach notification playbooks, and vendor contracts that rely on third-party attestations.

The Bottom Line on the Delve Compliance Dispute

Automation can accelerate compliance, but it cannot automate independence. Whether the whistleblower’s claims hold up will hinge on audit workpapers, sampling depth, and the true role Delve played in generating conclusions. For customers, the immediate imperative is clear: verify controls, verify auditors, and treat trust as something earned, not templated.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News