The story of embattled compliance startup Delve continues to hit twists and turns.
TechCrunch has confirmed that Delve was the compliance firm that performed the security certifications for Context AI, the artificial intelligence agent training startup that last week disclosed a security incident that led to a data breach at popular app and website hosting giant Vercel.
On the other hand, Lovable, which had its own security incident, is no longer a Delve customer.
To recap: Last month, Delve came under fire when an anonymous whistleblower alleged that the startup was falsifying customer data and using sealers in its compliance and certification processes. Delve denied these claims.
Shortly thereafter, hackers attacked one of Delve’s security certification clients, LiteLLM, and planted malware in its open source code. After the incident, LiteLLM told TechCrunch that it is dropping Delve and getting recertified.
Delve was also accused of taking an open source tool and passing it off as its own project without proper attribution of license. The startup’s reputation took a hit, prompting Y Combinator, from which Delve graduated, to cut ties.
After last weekend, Vercel said hackers had breached its internal systems and accessed some customer data. The company said the hackers broke in when an employee downloaded an app created by Context AI and linked that app to Vercel’s Google-hosted corporate account. Hackers abused the employee’s access to their Google account to break into some of Vercel’s internal systems.
After the Context AI name in the Vercel attack, Gergely Orosz, author of the engineering newsletter, The Pragmatic Engineer, said in a post on X that Delve was the company that handled Context AI’s security certification.
Context AI has now confirmed to TechCrunch that it did indeed use Delve, but has since left the startup and is in the process of re-certifying.
“Yes, Context was previously a customer of Delve,” a Context AI spokesperson told TechCrunch. “Following the reports surrounding Delve in March, we moved our compliance program to Vanta and engaged Insight Assurance, an independent audit firm, to conduct new examinations. As part of the review, we have begun updating our public materials and will share the new attestation when complete,” the spokesperson added.
Security certifications alone do not stop security issues. Their purpose is to verify that a company has implemented policies and procedures to prevent attacks and reduce the possibility of customer data being compromised.
Example: Lovable was a Delve customer, but after the whistleblower’s complaints are made public; Coding platform vibe said it had abandoned the startup at the end of 2025. The company has already re-completed one security certification and is in the process of redoing others, it said.
Still, lovable Monday he admitted that it had inadvertently shared public access to customer chat data. The company also said it had dismissed vulnerability reports that alerted the company to the problem months earlier. Lovable apologized for initially denying there was a data breach, though it said the problem was caused by a configuration error rather than hacking.
There’s even more weird news surrounding Delve. The anonymous whistleblower, DeepDelver, has published another post claiming that Delve was denying refunds to customers, but still led her team of more than 20 people to an off-site meeting in Hawaii between April 15 and April 19.
The whistleblower shared some compelling evidence with TechCrunch that lends credence to the alleged trip to Hawaii, but TechCrunch was unable to confirm other claims.
Delve did not respond to requests for comment and confirmation, and an email sent to its media relations department was bounced.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
