March 22, 2026 — Compliance automation startup Delve is facing serious allegations that it misled customers by fabricating evidence and improperly handling audit processes. The accusations, detailed in an anonymous Substack post, claim the Y Combinator-backed company exposed clients to potential regulatory penalties.
Anonymous Allegations Surface
An anonymous author using the pseudonym “DeepDelver” published a detailed account this week accusing Delve of systemic problems. The author claims to have worked at a former Delve client and collaborated with other dissatisfied customers. Their investigation concluded that Delve “achieves its claim of being the fastest platform by producing fake evidence” and “generating auditor conclusions on behalf of certification mills.”
DeepDelver told TechCrunch they chose anonymity “out of fear for retaliation by Delve.” The post alleges the startup provided customers with “fabricated evidence of board meetings, tests, and processes that never happened.” According to the author, this forced clients to choose between adopting questionable documentation or performing manual work despite promises of automation.
Startup’s Strong Denial
Delve responded forcefully to the allegations on its company blog, calling the Substack post “misleading” and containing “a number of inaccurate claims.” The startup stated it does not issue compliance reports but serves as an automation platform that ingests information for independent auditors.
“Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” the company asserted. Delve explained that customers can choose their own auditors or select from the startup’s network of third-party firms. Regarding evidence templates, Delve countered that it provides “templates to help teams document their processes” and that “draft templates are not the same as ‘pre-filled evidence.'”
Specific Claims of Impropriety
The anonymous post makes several specific allegations about Delve’s operations. DeepDelver claims virtually all Delve clients used two audit firms—Accorp and Gradient—described as “part of the same operation” with primary operations in India. The author alleges these firms rubber-stamped reports generated by Delve, inverting normal compliance structures.
“By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner,” DeepDelver wrote. “This is not a technicality. It is a structural fraud that invalidates the entire attestation.”
The post also accuses Delve of helping customers “mislead the public by hosting trust pages that contain security measures that were never implemented.” DeepDelver recounted that during dispute discussions, Delve “sent us multiple boxes of donuts to keep us happy.” Their former employer has since unpublished its trust page and stopped using Delve’s services.
Security Concerns and Ongoing Investigation
Following the initial allegations, separate security concerns emerged. An X user named James Zhou claimed to have accessed sensitive Delve information, including employee background checks and equity vesting schedules. Security researcher Jamieson O’Reilly of Dvuln shared details from conversations with Zhou about “several gaping security holes in Delve’s external attack surface.”
Delve stated it is “actively investigating any leaks” and continues reviewing the Substack post. The startup emphasized that its auditor network includes “established firms used broadly across the industry, including by other compliance platforms.”
What Comes Next
DeepDelver promised a “Part II” would follow soon, suggesting more allegations may surface. The situation places Delve’s clients in a difficult position, potentially facing regulatory scrutiny if the allegations prove accurate. Delve, which announced a $32 million Series A funding round last year at a $300 million valuation led by Insight Partners, now faces significant reputational challenges.
The controversy highlights broader concerns about compliance automation platforms and their relationships with audit firms. Regulatory bodies overseeing HIPAA and GDPR compliance may need to examine how technology platforms interact with traditional audit processes. For now, both sides appear entrenched in their positions, with Delve maintaining its innocence and anonymous critics promising more revelations.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
