Accusations Against Compliance Startup Delve
Delve, a compliance startup backed by Y Combinator, recently found itself under scrutiny after allegations emerged accusing the firm of misleading its customers about their privacy and security compliance, potentially exposing them to criminal liability under HIPAA and heavy GDPR fines. These accusations were made public in a Substack article penned by an anonymous author identified as “DeepDelver,” who claims to represent a former client of Delve.
Delve’s Response to the Accusations
Delve, valued at $300 million following a $32 million Series A round led by Insight Partners, has contested the allegations. The startup published a blog post refuting the Substack article, describing it as misleading and containing numerous inaccuracies. However, the controversy around Delve’s practices and the potential consequences for its clients have raised concerns in the tech industry.
Details of the Accusations
DeepDelver alleges that Delve’s methods involve producing false evidence and generating audit findings on behalf of certification mills. The anonymous author claimed that Delve’s practices lead to the company falsely assuring its customers that they have achieved full compliance, while key framework requirements are ignored. DeepDelver also accused Delve of providing its customers with fabricated evidence of board meetings, tests, and processes that never took place, forcing customers to choose between adopting false evidence or undertaking mostly manual work with little automation or AI.
Allegations Against Delve’s Auditing Firms
Furthermore, DeepDelver pointed out that the majority of Delve’s clients appear to have used two auditing firms, Accorp and Gradient, which they suggested were part of the same operation, primarily operating in India with a nominal presence in the United States. DeepDelver accused these companies of approving the reports generated by Delve without performing any independent review, thereby creating a situation where Delve acts as both the implementer and reviewer of its own compliance procedures, a setup the anonymous author described as “a structural fraud.”
Delve’s Defense
In response to these allegations, Delve has maintained that it does not publish compliance reports itself, but acts as an automation platform that ingests compliance information and allows auditors to access it. The final reports and opinions, it insists, are issued only by independent, approved auditors, not by Delve itself. The company also stated that its clients can choose to work with an auditor of their choice or select from Delve’s network of independent, accredited third-party auditing firms.
Delve’s Clarification on the “False Evidence” Accusation
On the accusation of providing customers with false evidence, Delve countered that it merely provides templates to help teams document their processes in accordance with compliance requirements, a common practice among compliance platforms. The company clarified that these draft templates are not the same as “pre-populated proofs.” In light of the ongoing controversy, Delve stated that it is actively investigating any alleged leaks and is still examining the Substack post.
Further Investigations
TechCrunch has reached out to both Delve and DeepDelver for additional comments on the allegations. However, the media contact address listed on Delve’s website returned an email bounce, indicating that the email didn’t get through. As the investigation continues, the tech industry and Delve’s clients await further developments with bated breath.
The original source of the allegations can be found here.
