A whistleblower known as DeepDelver has accused Delve, a Y Combinator-backed compliance startup, of misleading hundreds of customers by allegedly fabricating evidence of regulatory compliance. The claims suggest clients may have been convinced they met HIPAA and GDPR standards, potentially exposing them to legal penalties and fines.
Delve’s Rapid Rise and Business Model
Founded by MIT dropouts, Delve secured a $32 million Series A round in 2025, led by Insight Partners, achieving a $300 million valuation.
Delve positions itself as an automation platform that ingests compliance data and provides auditors with access to it, promising to accelerate the process of obtaining certifications like SOC 2, ISO 27001, HIPAA, and GDPR. These certifications are widely recognized indicators of data security and regulatory adherence, critical for companies seeking enterprise clients.
Core Allegations of Structural Fraud
According to DeepDelver, who identifies as a former client employee, Delve allegedly produces fake records of board meetings, tests, and processes that never occurred.
The whistleblower claims that audit firms Accorp and Gradient — described as “certification mills” — rubber-stamp reports generated by Delve without independent verification.
Customers allegedly displayed trust pages promoting security measures that were not actually implemented, misleading both the public and regulators.
DeepDelver described Delve’s process as “inverting” compliance, generating auditor conclusions and reports before independent review, creating what they termed a structural fraud.
Triggering Incident and Investigation
The controversy began after a December 2025 spreadsheet leak of confidential client reports. Delve’s CEO, Karun Kaushik, reportedly emailed clients assuring them that no external party had gained access and that compliance was intact.
Dissatisfied customers pooled resources to investigate, uncovering skipped framework requirements and pre-filled templates. DeepDelver noted that while their company tried to work with Delve, the startup reportedly sent boxes of donuts in a gesture to smooth tensions.
Delve’s Defense and Clarification
Delve has publicly refuted the allegations, emphasizing that:
- It does not issue compliance reports; only independent, licensed auditors produce final reports.
- It provides documentation templates to help teams demonstrate compliance, similar to other platforms.
- Clients can choose auditors from Delve’s network or bring their own, and all audits are conducted by established, independent firms.
- Delve is investigating any leaks and reviewing the Substack claims.
In response to the allegation of “fake evidence,” Delve clarified that draft templates are not pre-filled evidence and are meant solely to assist customers in documenting processes.
Broader Implications
This controversy highlights the risks in AI-driven compliance automation, especially when startups promise rapid certification. If misused or misunderstood, such platforms could erode trust in automated audit tools and trigger stricter industry oversight.
Companies relying on compliance certifications could face significant legal and financial consequences, including potential liability under HIPAA and fines under GDPR.
Alfred Lee
