Compliance startup Delve was accused by an anonymous Substack post of “falsely” convincing “hundreds of customers they were compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and hefty fines under GDPR.”
Delve refuted the accusations on its blog on Friday, calling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”
The Substack post is credited to “DeepDelver,” who described themselves as working at a (now former) Delve client. “Having the shared experience of being underwhelmed with the Delve experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,” they wrote.
The post said that Delve “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.”
READ: Amazon to pay $2.5 billion settlement over misleading Prime sign-ups, FTC says (September 26, 2025)
DeepDelver went into detail about these claims, saying that the startup is providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” then forcing those customers to “choose between adopting fake evidence or performing mostly manual work with little real automation or AI.”
DeepDelver also claimed that virtually all of Delve’s clients seem to have gone through two audit firms, Accorp and Gradient, which they described as “part of the same operation,” one that operates primarily in India, with only a nominal presence in the United States. They said that the firms are just rubber-stamping reports that were generated by Delve.
As a result, DeepDelver said the startup “inverts” the normal compliance structure: “By generating auditor conclusions, test procedures, and final reports before any independent review occurs, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation.”
DeepDelver also said that Delve is also helping those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.” They added that while their company was discussing its issues with Delve, the startup “sent us multiple boxes of donuts […] to keep us happy.” Nonetheless, DeepDelver’s employer supposedly unpublished its trust page and no longer relies on the startup for compliance.
READ: Oki AI launched to enable users to track company progress with AI (July 10, 2025)
Delve responded to these accusations by saying it does not issue compliance reports at all. Instead, it’s an “automation platform” that ingests information about compliance, then provides auditors with access to that information.
Delve also said that customers “can opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms.” Those auditors, the startup said, are “established firms used broadly across the industry, including by other compliance platforms.”
Delve also responded to the accusations that it’s providing customers with “fake evidence,” by saying that it’s simply offering “templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms.”
“Draft templates are not the same as ‘pre-filled evidence,’” the company said, adding that it is “actively investigating any leaks” and is “still reviewing the Substack.”