Another client of struggling startup Delve experienced a major security incident

The story of compliance startup Delve continues to take twists and turns.

TechCrunch has confirmed that Delve is the compliance firm that issued security certifications to context AI, the AI ​​agent training startup that last week disclosed a security incident that led to a security incident. This led to a data breach at the popular app and website hosting giant Vercel.

On the other hand, Lovable, which had its own security incident, is no longer a Delve customer.

To recap: Last month, Delve came under fire when an anonymous whistleblower alleged that The startup was falsifying customer dataand the use of rubber stamp auditors in compliance and certification processes. Delve has denied these allegations.

Shortly thereafter, intruders attacked One of Delve’s security certification clients, LiteLLMIt planted malware in its open source code. After the incident, LiteLLM TechCrunch said Delve has been phased out and re-certified.

It was also wading Accused of taking an open source tool And passing it off as his own work without attributing the appropriate license. The startup’s reputation became shaky, which prompted it Y Combinator, where Delve graduated fromto cut ties.

Fast forward to last weekend, and Versel said hackers did just that She hacked into its internal systems and accessed some customer data. The company said that hackers broke into the place after an employee downloaded an application designed by the company Context AI and linked this application to the Vercel account hosted by Google. The hackers abused this employee’s access to their Google account to break into some of Vercel’s internal systems.

After naming the AI ​​context in the Vercel attack, Gergely Orosz, author of the engineering newsletter, The Pragmatic Engineer, said: In a post on X Delve is the company that handled the security certification for context AI.

Context AI has now confirmed to TechCrunch that it used Delve, but it has since abandoned the startup and is in the process of recertification.

“Yes, context was previously a Delve customer,” a context AI spokesperson told TechCrunch. The spokesperson added: “Following the Delve-related reports in March, we moved our compliance program to Vanta and engaged Insight Assurance, an independent audit firm, to conduct new checks. As part of the re-examination, we have begun updating our public materials, and will share the new certification when it is complete.”

Security certificates in and of themselves do not stop security issues. It aims to verify that the company has policies and processes in place to thwart attacks and reduce the possibility of customer data being compromised.

Case in point: Lovable was a Delve customer, however After the whistleblower allegations came to light, The biometric tokenization platform said it abandoned the startup in late 2025. It said the company had already recompleted one security certification and was in the process of reissuing others.

However, loved on He admitted on Monday They inadvertently shared access to customer chat data publicly. The company also said it dismissed vulnerability reports that alerted the company to the issue months ago. Lovable apologized for initially denying that a data breach had occurred, though it said the issue was due to a configuration error, not a hack.

There’s even more strange news going around about Delve. The anonymous whistleblower, DeepDelver, did just that Posted another post Delve claimed it refuses to refund customers, but nonetheless took its team of more than 20 people to an off-site meeting in Hawaii from April 15 to April 19.

The whistleblower shared some convincing receipts with TechCrunch that lend credibility to the alleged Hawaii trip, but TechCrunch was unable to confirm other claims.

Delve did not respond to requests for comment and confirmation and bounced an email sent to its media relations address.