Delve accused of misleading customers through ‘fake compliance’

that Anonymous Substack post Published this week accuses startup of compliance Wading “Falsely” convinced “hundreds of customers that they were in compliance” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and hefty fines under GDPR.”

Delve is a startup backed by Y Combinator last year Announced raising $32 million Series A With a valuation of $300 million. (The round was led by Insight Partners.) On Friday, the startup tried to refute these accusations On her blogcalling Substack’s post “misleading” and saying it “contains a number of inaccurate claims.”

The Substack post is attributed to “DeepDelver,” who described himself as working for a (now former) Delve client.

DeepDelver recounted that it received an email in December claiming that the startup had “leaked a spreadsheet containing confidential customer reports.” While Delve CEO Karun Kaushik assured customers in a later email that they were in compliance and that no outside party had access to sensitive data, DeepDelver said they and other customers became suspicious.

“After our shared experience of frustration with the Delve experience, and a general sense that something fishy was happening, we decided to pool resources and investigate together,” they wrote.

Their conclusion? Delve lives up to its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification factories that rubber-stamp reports, and skipping key framework requirements while telling clients they have achieved 100% compliance.

DeepDelver has gone into great detail about these allegations, accusing the startup of providing customers with “fabricated evidence of board meetings, testing, and operations that never happened,” and then forcing those customers to “choose between adopting fake evidence or performing mostly manual work with little real automation or artificial intelligence.”

DeepDeliver also claimed that almost all of Delph’s clients had gone through two audit firms, Accorp and Gradent, which it described as “part of the same operation”, a firm that operates primarily in India, with only a nominal presence in the US.

They said that these companies are just certified reports created by Delve. As a result, DeepDeliver said the startup is “upending” the normal compliance structure: “By generating auditors’ conclusions, testing procedures, and final reports before any independent review is conducted, DeepDeliver places itself in the role of both enforcer and examiner. This is not a technical issue. Rather, it is a structural fraud that invalidates the entire certification.”

In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”

As for its own relationship with Delve, DeepDelver said its company has not published its trust page and no longer relies on the startup for compliance.

Delve responded to the accusations by saying it does not issue compliance reports at all. Instead, it is an “automation platform” that ingests information about compliance, and then provides auditors with access to that information.

“Final reports and opinions are issued only by independent, licensed auditors, and not by Delve,” the company said.

Delve also said that its clients “can choose to work with an auditor of their choice or choose to work with an auditor from Delve’s network of independent, accredited third-party audit firms.” These companies are “well-established companies that are widely used across the industry, including other compliance platforms,” the startup said.

In response to the accusation that it provides clients with “fake evidence,” Delve responded that it simply provides “templates to help teams document their processes against compliance requirements, as other compliance platforms do.”

“Draft forms are not the same as ‘pre-filled guides,’” the company said.

Delve added that it is “actively investigating any leaks” and “is still reviewing Substack.”

TechCrunch sent an email requesting additional comment to the media contact address listed on Delve’s website; The email bounced. We’ve also reached out to DeepDelver for additional comment.