Delve accused of misleading customers with ‘fake compliance’

An Substack post unknown published this week opposes the start-up Delve “false” claims to the satisfaction of “hundreds of customers who comply” with privacy and security laws, which could expose those customers to “criminal charges under HIPAA and significant fines under GDPR.”

Delve is a startup that backed Y Combinator last year announced a $32 million Series A raise at a cost of $300 million. (The round was led by Insight Partners.) On Friday, the founders attempted to refute the allegations. on his blogcalling Substack’s post “misleading” and saying it “contains several incorrect statements.”

The Substack post is called “DeepDelver,” who described himself as working on the (now defunct) Delve client. In response to questions sent by email from TechCrunch, DeepDelver said that it and its employees “have chosen to remain anonymous for fear of retaliation by Delve.”

In their filing, DeepDelver also explained that they received an email in December saying that “the startup had released a website with confidential customer reports.” Although Delve CEO Karun Kaushik appears to have assured customers in a follow-up email that they are following through and that no outside group has obtained sensitive information, DeepDelver said they and other customers have grown suspicious.

“Having the same experience with Delve, and realizing that there was something fishy about it, we decided to gather some resources and investigate together,” he wrote.

Their ending? That Delve “lives up to its claim of being the fastest fraud proofing platform, issuing auditor audits instead of rubber stamp verification mills, skipping major requirements and telling customers 100% compliance.”

DeepDelver elaborated on the claims, accusing the startup of providing customers with “evidence of meetings, tests, and methods that have never been done before,” and forcing those customers to “choose between relying on fake evidence or doing a lot of manual work with virtual machines or AI.”

DeepDelver also said that almost all of Delve’s customers appear to have gone through two accounting firms, Accorp and Gradient, which he described as “part of the same service,” operating mainly in India, which is limited to the United States.

Those companies, they said, are rubber-stamping reports produced by Delve. As a result, DeepDelver said that the startup “disrupts” its approach: “By creating auditors’ calculations, test methods, and final reports before independent evaluation, Delve puts itself in the role of both initiators and testers. This is not technology. It is a fraud that prevents all evidence.”

In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps those customers “mislead people by maintaining trusted websites with unprecedented security.”

DeepDelver said that when their company was discussing its issues with Delve, the founders “sent us a few boxes of donuts (…) to keep us happy.” However, DeepDelver’s boss says he hasn’t published his trusted website and doesn’t rely on the startup to follow suit.

Delve responded to the allegations by saying that it does not report listeners at all. Instead, it’s an “automated platform” that enters compliance-related information, then provides auditors with access to that information.

“Final reports and recommendations are provided by independent, certified auditors, not Delve,” the company said.

Delve stated that its clients “can choose to work with an accountant of their choice or choose to work with Delve’s independent, certified third-party accounting firm.” The researchers, the founders said, “are established companies that are widely used in all industries, combined with other tracking methods.”

Responding to accusations that it provides customers with “false evidence,” Delve countered that it only provides “templates to help teams document their activities in the same way as other tracking platforms.”

“Preparatory templates are not the same as ‘pre-filled proofs,'” the company said.

Delve added that it is “actively investigating the issue” and is “still evaluating Substack.”

When asked about Delve’s response, DeepDelver told TechCrunch that he was “surprised by its laziness, stupidity and stupidity.”

“They are trying to get out of accountability by refusing to have ‘pre-filled proofs’ but calling them ‘templates’ instead, blaming customers for taking ‘templates’ as they are,” DeepDelver said. “They are saying that they are not the ones to ‘issue’ the report, which is easy to say if you explain that issuing a report is giving it the final stamp.”

He added that there are “lots of really big lawsuits” that Delve never responded to: “The Indian accusations, the lack of AI (they just talk about ‘automation’), and the trust site (lol) with controls that didn’t happen.”

It seems that DeepDelver was not done with his criticism, as he promised, “Part II will follow soon.”

Additionally, following Substack’s first post, an X user named James Zhou he said they were able to access sensitive information from Delve, such as employee background checks and revenue streams. Dvuln founder Jamieson O’Reilly he shared a lot from what O’Reilly said and discussed with Zhou about “several security holes in Delve’s attack surface.”

TechCrunch sent an email seeking additional comment to the media contact address on Delve’s website. The email was hit, but after this article was published, I received a calendar invite for a “Delve demo” this weekend.

This article was originally published on March 21, 2026. It has been updated with email responses from DeepDelver, information about the security threat provided by Jamieson O’Reilly, and more about Delve’s response to TechCrunch.