This week, an anonymous post rocking Substack’s quieter corners lobbed heavy accusations at Delve, a once-rising star among compliance startups. According to the writer—calling themselves simply “DeepDelver”—Delve convinced “hundreds of customers” that they had met strict privacy and security standards, all while quietly leading them into a legal minefield, risking both criminal penalties under HIPAA and ruinous GDPR fines.
Delve, which fell under Y Combinator’s golden light and announced a triumphant $32 million Series A last year (with Insight Partners at the helm), shot back almost immediately, labeling the Substack piece “misleading” and riddled with mistakes. They posted their rebuttal Friday, eager to set the record straight, or at least cast doubt on their anonymous critic.
According to DeepDelver, these suspicious threads began unraveling in December. An alarming email landed in their inbox, containing whispers of a leaked spreadsheet—one filled with confidential client details. Shortly after, Delve’s CEO Karun Kaushik emailed reassurances: no breach, nothing to see here, clients’ data was safe. But DeepDelver and others felt the sting of doubt. Too many things didn’t add up.
As DeepDelver described, “Being collectively let down by Delve and sensing that something was off, we pooled our resources for a deeper look.” What they found, at least in their telling, painted a disturbing picture.
Delve, they claimed, was only fast because it cut corners. The post accused the startup of inventing evidence—simulated board meetings, phantom tests, entire processes that, in reality, never happened. Clients, they wrote, faced an unsettling choice: embrace falsified reports or slog through manual tasks, undermining the promise of automation and AI that drew many to Delve in the first place.
DeepDelver didn’t stop there. They pointed out that nearly all Delve customers were funneled through just two auditors: Accorp and Gradient. Both, the post said, seemed like two faces of the same entity, mostly operating out of India with only paper-thin U.S. presences. The supposed auditing process, DeepDelver alleged, was little more than rubber-stamping what Delve produced, upending the entire concept of independent oversight.
“In reality, Delve flips the compliance system on its head,” the post charged. “By generating final conclusions and reports before any outside review, Delve acts as both the builder and the judge. That’s not a technicality—it’s foundational fraud that voids the entire process.”
Beyond misleading its customers, DeepDelver said, Delve was also helping those same customers “deceive the public,” propping up trust pages online that showcased security measures which, in truth, were never put in place. At one point, as tensions grew, Delve tried to patch things over the old-fashioned way—by sending boxes of donuts, hoping perhaps that sugar could soothe suspicion. But DeepDelver’s employer wasn’t impressed; they took down their trust page and severed their ties with the startup.
Delve’s official response deflected the biggest charges. They insisted: compliance reports aren’t issued by us. We’re just an “automation platform.” We pull in compliance info and pass it to outside auditors who, Delve claimed, are properly licensed and fully independent. Clients can choose their auditor, whether within Delve’s network or outside it.
As for the talk of “fake evidence,” Delve said they merely provide templates—nothing different from what any comparable compliance service might do. “Draft templates are not evidence,” they wrote. “We’re still reviewing the Substack post and investigating any alleged leaks.”
TechCrunch reached out for further comment, but their message bounced back—no contact found. Still, later that week, a calendar invite appeared: “Delve demo.”
DeepDelver, unswayed by Delve’s reply, called its response lazy and “brazen.” In their view, the company dodged the heart of the allegations—sidestepping hard questions about the two audit firms, the absence of real AI, and the fake trust pages. Their verdict? “Part II will follow soon.”
The story isn’t just confined to Substack. On X, a user named James Zhou claimed he accessed sensitive Delve data—background checks, employee vesting schedules, the lot. Security researcher Jamieson O’Reilly recounted what he called a chat with Zhou, describing “gaping” holes in Delve’s external defenses.
The fallout continues. TechCrunch updated their coverage after more answers trickled in—DeepDelver’s written responses, details on security lapses, Delve’s evolving replies. Delve’s moment in the sun, it seems, may be cloudier than their pitch decks ever suggested.
