A anonymous substack post published this week blames the compliance startup Dig to “falsely” convince “hundreds of customers that they were in compliance” with privacy and security regulations, exposing those customers to “criminal liability under HIPAA and heavy fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced it would raise a $32 million series at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to counter the allegations on her blogcalling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”
The Substack post is credited to “DeepDelver”, who described himself as working on a (now former) Delve client. In response to questions via email from TechCrunch, DeepDelver said that they and their partners “have chosen to remain anonymous for fear of retaliation from Delve.”
In their post, DeepDelver recounted receiving an email in December that claimed the startup had “leaked a spreadsheet of confidential customer reports.” While Delve CEO Karun Kaushik apparently assured customers in a follow-up email that they were in compliance and no outside parties had access to sensitive data, DeepDelver said they and other customers had become suspicious.
“Having the shared experience of being overwhelmed by the Delve experience and having a general sense that something terrible was going on, we decided to pool resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim of being the fastest platform by producing bogus data, generating auditor conclusions on behalf of certification factories that report seals, and bypassing basic framework requirements, telling customers they’ve achieved 100% compliance.”
DeepDelver went into significant detail about these allegations, accusing the startup of providing customers with “fabricated evidence of board meetings, tests and processes that never happened,” then forcing those customers to “choose between adopting fake evidence or performing mostly manual tasks with little real automation or AI.”
Techcrunch event
San Francisco, California
|
13-15 October 2026
DeepDelver also claimed that nearly all of Delve’s clients appear to have gone through two auditing firms, Accorp and Gradient, which they described as “part of the same business,” one that operates primarily in India, with only a nominal presence in the United States.
These companies, they said, are simply reports created by Delve. As a result, DeepDelver said the startup is “inverting” the normal compliance structure: “By creating auditor conclusions, test procedures and final reports before any independent review, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire certification.”
In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”
DeepDelver said that while their company was discussing its issues with Delve, the startup “sent us several boxes of donuts […] to keep us happy.” However, DeepDelver’s employer has reportedly taken down the trust page and no longer relies on the startup for compliance.
Delve responded to the accusations by saying that it does not issue compliance reports at all. Rather, it is an “automation platform” that ingests information about compliance and then provides auditors with access to that information.
“Final reports and opinions are issued solely by independent, authorized auditors, not by Delve,” the company said.
Delve also said that its customers “can choose to work with an auditor of their choice or choose to work with one of Delve’s network of independent, accredited third-party auditing firms.” These auditors, the startup said, are “established companies that are widely used across the industry, including other compliance platforms.”
Responding to accusations that it provides customers with “fake data,” Delve responded that it simply offers “templates to help teams document their processes against compliance requirements, just like other compliance platforms.”
“Drafts are not the same as ‘careful evidence,'” the company said.
Delve added that it is “actively investigating any leaks” and “still looking into Substack.”
When asked about Delve’s response, DeepDelver told TechCrunch that they were “confused by its laziness, clumsiness, and insolence.”
“They are trying to escape [of] they are held responsible by denying that they have ‘pre-populated evidence’, but call them ‘standards’, effectively shifting the onus to customers to adopt the ‘standards’ as they are, DeepDelver said.
They added that there are “some very serious allegations” that Delve didn’t look into at all: “The India category, the lack of AI (they only talk about ‘automations’) and the trust page (lol) containing controls that were never implemented.”
Apparently DeepDelver isn’t done with their review, as they promised, “Part II will follow soon.”
In addition, after the initial publication of Substack, an X-user named James Zhou he said were able to access sensitive information from Delve, such as employee background checks and stock vesting schedules. Dvuln founder Jamieson O’Reilly shared more details from what O’Reilly said was a conversation with Zhou about “several security gaps in Delve’s external attack surface.”
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. The email bounced, but after this article was published, I received a calendar invite for a “Demo Demo” later this week.
This post was originally published on March 21, 2026. It has been updated with email responses from DeepDelver, additional information about alleged security vulnerabilities provided by Jamieson O’Reilly, and additional details about Delve’s response to TechCrunch.
