A anonymous post from substack published this week accuses the compliance startup Dig to “falsely” convince “hundreds of customers that they were complying” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and heavy fines under GDPR.”
Delve is a Y Combinator-backed startup that last year announced a $32 million Series A fundraising round at a valuation of $300 million. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the accusations. on his blogcalling Substack’s post “misleading” and saying it “contains a number of inaccurate claims.”
The Substack post is attributed to “DeepDelver,” who described himself as working at a (now former) Delve client.
DeepDelver said it received an email in December claiming the startup had “leaked a spreadsheet containing confidential customer reports.” While Delve CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no external parties had access to sensitive data, DeepDelver said they and other customers had become suspicious.
“Having shared the experience of being disappointed by the Delve experiment and having a general feeling that something fishy was going on, we decided to pool our resources and investigate together,” they wrote.
Their conclusion? That Delve “achieves its claim to be the fastest platform by producing false evidence, generating audit findings on behalf of the certification mills that approve the reports, and ignoring key framework requirements while telling customers they have achieved 100% compliance.”
DeepDelver provided considerable detail about these claims, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never took place,” then forcing those customers to “choose between adopting false evidence or doing mostly manual work with little real automation or AI.”
Techcrunch event
San Francisco, California | October 13-15, 2026
DeepDelver also claimed that virtually all of Delve’s clients appear to have used two auditing firms, Accorp and Gradient, which it described as “part of the same operation,” a firm that operates primarily in India, with only a nominal presence in the United States.
These companies, they say, only approve the reports generated by Delve. As a result, DeepDelver said the startup “inverts” the normal compliance structure: “By generating audit findings, testing procedures, and final reports in advance of any independent review, Delve places itself in the role of both implementer and reviewer. It’s not a technicality. It is a structural fraud which invalidates the entire certificate. »
In addition to accusing Delve of misleading its customers, DeepDelver said the startup helps those customers “mislead the public by hosting trusted pages containing security measures that were never implemented.”
DeepDelver said that while their company was discussing its issues with Delve, the startup “sent us several boxes of donuts.” […] to keep us happy. However, DeepDelver’s employer has not published its trust page and is no longer counting on the startup to comply.
Delve responded to the accusations by saying that it does not publish compliance reports at all. Rather, it is an “automation platform” that ingests compliance information and then allows auditors to access that information.
“Final reports and opinions are issued only by independent, approved auditors, and not by Delve,” the company said.
Delve also said its clients “can choose to work with an auditor of their choice or work with an auditor from Delve’s network of independent, accredited third-party auditing firms.” These auditors, the startup said, are “established companies widely used across the industry, including by other compliance platforms.”
In response to the accusation that it provides its customers with “false evidence,” Delve countered that it simply offers “templates to help teams document their processes in accordance with compliance requirements, as other compliance platforms do.”
“Draft templates are not the same as ‘pre-populated proofs,’” the company said.
Delve added that it is “actively investigating any leaks” and is “still examining the sub-stack.”
Following the initial Substack post, an X user named James Zhou said they were able to access sensitive Delve information, such as employee background checks and stock vesting schedules. Jamieson O’Reilly, founder of Dvuln shared more details From what O’Reilly said, it was a conversation with Zhou about “several gaping security holes in Delve’s external attack surface.”
TechCrunch sent an email seeking additional comment to the media contact address listed on Delve’s website. The email bounced, but then I received a calendar invite for a “Delve demo” later this week. TechCrunch has also contacted DeepDelver for additional comment.
This article has been updated with additional information on the alleged security vulnerabilities provided by Jamieson O’Reilly, as well as additional details from Delve’s response to TechCrunch.