The controversy around Dig seems to have cost the compliance startup its relationship with accelerator Y Combinator.
Delve is no longer listed as a YC portfolio company and the Delve page seems to have been removed from the YC website. Additionally, the startup’s COO Selin Kocalar posted on X that “YC and Delve have parted ways.”
“I still remember the day we got our YC interview at MIT,” Kocalar said. “We’re so grateful to the community and every founder friend we’ve made.”
YC is not the first investor to walk away from Delve. Insight Partners also appears to have deleted posts about its investment in the company, although its main blog post was later restored.
Meanwhile, Delve continues to dispute anonymous allegations that it misled customers into saying it was complying with privacy and security regulations, while allegedly bypassing important requirements and automatically generating reports for “rubberstamp reporting certification mills.”
These allegations were first published in an anonymous substack post attributed to “DeepDelver,” who described himself as a former Delve customer who became suspicious after receiving leaked data about the startup’s customers.
DeepDelver posted subsequent posts sharing what they said were Slack posts and videos from the company, as well as accusing Delve of passing off an open source tool as its own without giving credit or entering into an agreement with the developer. A security researcher also said it could access to sensitive Delve data;.
Techcrunch event
San Francisco, California
|
13-15 October 2026
Meanwhile, Delve became part of a related controversy when malware was discovered in an open source project developed by Delve client LiteLLM.
In the company’s latest blog postDelve CEO Kocalar and CEO Karun Kaushik stated their intention to “set the record straight on anonymous attacks.” Among other things, they claimed the company has hired a cybersecurity firm “to help us figure out what happened” and said “the evidence points to a malicious attack rather than a genuine whistleblower.”
“It appears that an attacker purchased Delve under false pretenses, leaked malicious data, including Delve’s internal corporate data, and used it to launch a coordinated smear campaign against us,” they said. The blog post also includes a screenshot they said “shows the attacker breaking into our audit trail spreadsheet via file.io.”
Beyond this accusation, Delve also described DeepDelver’s review as “a mix of fabricated claims, curated screenshots and data taken out of context.” For example, they said DeepDelver “rejects our AI while admitting it automated 70% of a security questionnaire.”
On the issue of using open source tools, Delve said it was “built on an Apache 2.0 open source repository, which explicitly allows commercial use, and refactored it significantly for compliance use cases.”
However, executives also said they have taken steps to ensure customers “feel confident in our platform and compliance outcomes.”
Those steps are said to include cleaning up the company’s network to remove audit firms “that don’t meet our standards,” “offering free audits and penetration tests to all active clients,” and making it “unequivocally clear” that Delve’s standards for things like board meeting notes “are designed to be starting points only.”
In a post on XKaushik made many of the same points, but also said;[W]e grew too fast and fell below our standards. We apologize to our customers for the inconvenience caused.”
TechCrunch reached out to Y Combinator and DeepDelver for any response to Delve’s comments.
