An anonymous post on Substack has accused compliance startup Delve of misleading customers about their privacy and security compliance status, raising concerns about potential legal and financial exposure.
The post, written by a user identifying as “DeepDelver,” claims the company falsely assured “hundreds of customers” that they were compliant with regulations like HIPAA and GDPR.
Allegations Point to Fabricated Evidence And Weak Audits
According to the post, Delve allegedly:
- Generated “fake evidence” of processes like board meetings and security tests
- Produced audit conclusions before independent review
- Relied on audit firms described as “rubber-stamping” reports
- Skipped key compliance requirements while claiming full certification
The author argues this setup “inverts” the normal compliance process by placing Delve in both implementation and verification roles, calling it a “structural fraud.”
The claims also suggest customers were pressured to either accept pre-generated documentation or complete largely manual compliance work.
Data Leak And Security Concerns Raised
The anonymous source said concerns began after an alleged data leak involving confidential client reports.
Separately, individuals online claimed they accessed sensitive internal data, including employee background checks and financial information, pointing to possible security gaps.
These claims have not been independently verified.
Delve Denies Claims, Calls Post Misleading
Delve rejected the accusations in a blog response, describing the Substack post as “misleading” and containing “inaccurate claims.”
The company stated:
- It does not issue compliance reports, but provides automation tools
- Final certifications are handled by independent third-party auditors
- Customers can choose their own auditors or use firms from Delve’s network
- Templates offered are standard documentation tools, not “fake evidence”
Delve also said it is investigating the alleged data leak and reviewing the claims made in the post.
Background And Stakes
Delve is a Y Combinator-backed startup that raised a $32 million Series A round last year, reportedly at a $300 million valuation.
If the allegations were proven true, affected companies could face serious consequences, including regulatory penalties or legal exposure tied to non-compliance.
For now, the situation remains unresolved, with claims and counterclaims highlighting a deeper issue in the fast-growing compliance automation space: how much trust businesses can place in tools that promise speed and simplicity in meeting complex regulatory standards.
Featured image credits: FreePix.uk
For more stories like it, click the +Follow button at the top of this page to follow us.