Delve Faces Allegations of Faking HIPAA and GDPR Compliance

Compliance startup Delve is facing serious allegations from a pseudonymous Substack report accusing the company of misleading "hundreds" of customers about their compliance status with HIPAA and GDPR regulations.

“The recent controversy surrounding the regulatory compliance startup Delve has captured the attention of the business and tech communities”

Columna Digital

The report, written by DeepDelver, raises concerns about potential legal and financial exposure for customers who may face regulatory penalties due to the alleged deception.

Columna Digital

Delve, which raised $32 million in Series A funding last year at a reported $300 million valuation and is backed by Y Combinator, positions itself as an automation layer for audits including SOC 2, ISO 27001, HIPAA, and other frameworks.

The allegations strike at the core of the "compliance-as-a-service" industry, which promises faster attestations and AI-driven workflows but may be cutting corners on actual compliance requirements.

The detailed allegations from DeepDelver claim that Delve systematically generated "fabricated evidence" and pre-baked audit conclusions, effectively "inverting" the normal compliance process.

According to the investigation, Delve allegedly created fake evidence of board meetings and nonexistent processes, then forced customers to choose between these fraudulent proofs or performing manual compliance work with little automation.

DMR News

The report specifically highlights that nearly all Delve clients were routed through two audit firms, Accorp and Gradient, described as part of the same operation primarily based in India with minimal U.S. presence.

These firms are accused of acting as "report factories" that quickly validate whatever Delve presents without proper scrutiny, potentially invalidating the entire compliance certification process.

In response to the serious allegations, Delve has categorically denied issuing compliance reports and rebranded itself as an "automation platform" that merely collects compliance information for auditors.

“Compliance startup Delve is under fire after a pseudonymous Substack report alleged the company misled “hundreds” of customers into believing they were fully compliant with data protection and security standards”

FindArticles

The company insists that final reports are issued exclusively by independent auditors and that customers have the freedom to select any auditor or choose from Delve's network of established providers.

Delve also addresses the "fake evidence" charge by claiming to provide templates to help customers document processes to meet framework requirements, arguing these templates require client customization and are no different from other compliance platforms.

The company has stated it is investigating potential data leaks and reviewing the Substack allegations, though DeepDelver counters that rebranding pre-populated artifacts as "templates" shifts responsibility onto customers while preserving the same fraudulent outcomes.

The alleged practices pose significant risks to the compliance ecosystem and regulatory frameworks that rely on independent assessment and evidence.

Established frameworks like SOC 2 and ISO 27001 require evidence that is timely, complete, and tied to actual controls in operation.

TechCrunch

According to AICPA guidance, there are serious concerns about self-review threats where an auditor's independence could be compromised by relying on management-driven or tool-generated conclusions.

The shortcuts allegedly taken by Delve could leave material gaps in critical areas like access control, incident response, change management, and board oversight, potentially exposing customers to regulatory violations and security vulnerabilities.

The situation raises broader questions about the integrity of automated compliance platforms and whether they can reliably deliver on their promises without compromising fundamental compliance principles.

Compounding the compliance allegations are serious concerns about data security and potential breaches at Delve.

“The recent controversy surrounding the regulatory compliance startup Delve has captured the attention of the business and tech communities”

Columna Digital

The investigation began after DeepDelver discovered a leaked spreadsheet containing confidential client reports, suggesting significant vulnerabilities in the company's data handling practices.

Columna Digital

A security researcher named James Zhou claimed to have gained access to sensitive internal data including employee background checks and equity records.

An industry peer reportedly described "gaping" exposure on Delve's external attack surface, indicating fundamental security weaknesses.

These security concerns add another layer of risk for customers who trusted Delve with their compliance documentation and sensitive business information, raising questions about whether a company accused of faking compliance can adequately protect customer data.