A anonymous substack post published this week blames the compliance startup Dig to “falsely” convince “hundreds of customers that they were in compliance” with privacy and security regulations, exposing those customers to “criminal liability under HIPAA and heavy fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced it would raise a $32 million series at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to counter the allegations on her blogcalling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”
The Substack post is credited to “DeepDelver”, who described himself as working on a (now former) Delve client.
DeepDelver recounted receiving an email in December that claimed the startup had “leaked a spreadsheet of confidential customer reports.” While Delve CEO Karun Kaushik apparently assured customers in a follow-up email that they were in compliance and no outside parties had access to sensitive data, DeepDelver said they and other customers had become suspicious.
“Having the shared experience of being overwhelmed by the Delve experience and having a general sense that something terrible was going on, we decided to pool resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim of being the fastest platform by producing bogus data, generating auditor conclusions on behalf of certification factories that report seals, and bypassing basic framework requirements, telling customers they’ve achieved 100% compliance.”
DeepDelver went into significant detail about these allegations, accusing the startup of providing customers with “fabricated evidence of board meetings, tests and processes that never happened,” then forcing those customers to “choose between adopting fake evidence or performing mostly manual tasks with little real automation or AI.”
Techcrunch event
San Francisco, California
|
13-15 October 2026
DeepDelver also claimed that nearly all of Delve’s clients appear to have gone through two auditing firms, Accorp and Gradient, which they described as “part of the same business,” one that operates primarily in India, with only a nominal presence in the United States.
These companies, they said, are simply reports created by Delve. As a result, DeepDelver said the startup is “inverting” the normal compliance structure: “By creating auditor conclusions, test procedures and final reports before any independent review, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire certification.”
In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”
DeepDelver said that while their company was discussing its issues with Delve, the startup “already sent us several boxes of donuts to keep us happy.” However, DeepDelver’s employer has reportedly taken down the trust page and no longer relies on the startup for compliance.
Delve responded to the accusations by saying that it does not issue compliance reports at all. Rather, it is an “automation platform” that ingests information about compliance and then provides auditors with access to that information.
“Final reports and opinions are issued solely by independent, authorized auditors, not by Delve,” the company said.
Delve also said that its customers “can choose to work with an auditor of their choice or choose to work with one of Delve’s network of independent, accredited third-party auditing firms.” These auditors, the startup said, are “established companies that are widely used across the industry, including other compliance platforms.”
Responding to accusations that it provides customers with “fake data,” Delve responded that it simply offers “templates to help teams document their processes against compliance requirements, just like other compliance platforms.”
“Drafts are not the same as ‘careful evidence,'” the company said.
Delve added that it is “actively investigating any leaks” and “still looking into Substack.”
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. the email bounced. We’ve also reached out to DeepDelver for additional comment.
