March 21, 2026 — Delve, a Y Combinator-backed compliance automation startup, is facing serious allegations from an anonymous source claiming the company misled customers by fabricating evidence of regulatory adherence. The accusations, detailed in a Substack post, suggest the startup’s practices could expose clients to legal and financial risk.
Anonymous Allegations Detail Systemic Issues
The Substack post, authored by an individual using the pseudonym “DeepDelver,” was published this week. The author claims to have worked at a former client of Delve. The post alleges Delve convinced hundreds of customers they were fully compliant with frameworks like HIPAA and GDPR while skipping major requirements.
“Delve achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance,” DeepDelver wrote.
The anonymous source described receiving an email in December 2025 claiming Delve had leaked a spreadsheet with confidential client reports. While Delve CEO Karun Kaushik reportedly assured customers no external party accessed sensitive data, DeepDelver said this incident prompted a collaborative investigation by several skeptical clients.
Claims of Fabricated Evidence and Rubber-Stamp Audits
DeepDelver’s investigation concluded that Delve provided customers with “fabricated evidence of board meetings, tests, and processes that never happened.” The post claims clients were then forced to choose between adopting this false documentation or performing manual work themselves, contradicting Delve’s automation promises.
A significant allegation centers on Delve’s audit partners. DeepDelver claims virtually all Delve clients used two audit firms, Accorp and Gradient, described as “part of the same operation” based primarily in India. The post asserts these firms rubber-stamped reports generated by Delve, inverting the normal compliance structure.
“By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner,” DeepDelver wrote. “This is not a technicality. It is a structural fraud that invalidates the entire attestation.”
Delve’s Public Response and Denials
Delve responded to the allegations in a blog post, calling the Substack article “misleading” and containing “a number of inaccurate claims.” The startup, which announced a $32 million Series A round led by Insight Partners last year, defended its business model.
The company stated it does not issue compliance reports. “Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” the response read. Delve described itself as an automation platform that ingests client information and provides auditors access to it.
Regarding audit partners, Delve said customers can choose their own auditor or select one from Delve’s network of “independent, accredited third-party audit firms.” The company said these are “established firms used broadly across the industry.”
In response to the “fake evidence” claim, Delve countered that it provides “templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms.” The startup emphasized that “draft templates are not the same as ‘pre-filled evidence.'”
Potential Fallout for Clients and Industry
The allegations, if substantiated, could have severe consequences for Delve’s customers. DeepDelver warned clients faced potential “criminal liability under HIPAA and hefty fines under GDPR” if their compliance attestations are invalid. The post also accused Delve of helping customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”
DeepDelver said their own company has unpublished its trust page and no longer relies on Delve. The broader compliance technology sector, which has seen significant growth and investment, may face increased scrutiny. Regulators like the Federal Trade Commission have previously taken action against companies making false security claims.
Delve stated it is “actively investigating any leaks” and is “still reviewing the Substack” post. Attempts to reach the company for additional comment were unsuccessful; an email to the media address listed on Delve’s website bounced at the time of reporting.
What Happens Next
The situation remains fluid. Delve’s response has not directly addressed all specific technical claims made by DeepDelver. The identity of the anonymous source and their evidence remain unverified. Industry observers will watch for reactions from Delve’s investors, client statements, or potential regulatory interest. The core dispute—between Delve’s description of providing templates and the allegation of supplying pre-filled, fabricated evidence—presents a fundamental conflict requiring further clarification.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
