A Compliance Startup Is Accused of Faking the Compliance It Sells
Delve, a Y Combinator-backed startup that raised $32 million at a $300 million valuation, is facing accusations of fake compliance. An anonymous Substack post published in March 2026 claims Delve “falsely” convinced “hundreds of customers they were compliant” with privacy and security regulations, potentially exposing them to criminal liability under HIPAA and fines under GDPR. Delve has called the accusations “misleading” and says the post contains “inaccurate claims.” But the details in the investigation are specific enough to raise serious questions.
What the Anonymous Investigation Claims
- Delve allegedly produced fabricated evidence of board meetings, tests, and processes that never happened
- Auditor conclusions were generated on behalf of “certification mills that rubber stamp reports”
- Major framework requirements were allegedly skipped while telling clients they achieved 100% compliance
- Customers were forced to choose between adopting fake evidence or doing manual compliance work
- A data leak in December exposed a spreadsheet with confidential client reports
How the Investigation Started
The anonymous author, writing as “DeepDelver,” described working at a former Delve client. In December, customers received an email claiming the startup had leaked a spreadsheet with confidential client reports. Delve CEO Karun Kaushik assured customers that data was secure and compliance was intact.
But several customers had already grown suspicious. DeepDelver wrote that they “pooled resources” with other dissatisfied clients to investigate.
“Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,” the anonymous author wrote.
Why This Matters Beyond One Startup
Compliance is not optional. HIPAA violations can carry criminal penalties. GDPR fines can reach 4% of annual revenue. If Delve customers believed they were compliant when they were not, those customers face real legal exposure.
The broader concern is about AI-powered compliance tools in general. Delve marketed itself as the fastest platform for achieving compliance. Speed was the selling point. But compliance is a process that requires real documentation, real testing, and real verification. If shortcuts produce fake results, the efficiency gains are meaningless.
Delve’s Response
Delve published a blog post calling the Substack investigation “misleading.” The company said the post contains “inaccurate claims” but did not provide detailed rebuttals to the specific accusations about fabricated evidence or rubber-stamped audits.
DeepDelver told TechCrunch they chose to remain anonymous “out of fear for retaliation by Delve.” The investigation remains ongoing, and the outcome could have implications for the broader compliance-as-a-service industry, where similar startups use AI to automate audit preparation and evidence collection.
