A nameless Substack article, issued this week, charges the regulatory tech firm Delve with “erroneously persuading” “hundreds of clients that they met requirements” for data confidentiality and safety stipulations, possibly subjecting those clients to “legal culpability under HIPAA and considerable monetary penalties under GDPR.”
Delve, a new venture supported by Y Combinator, revealed last year it had secured a $32 million Series A funding round, valuing it at $300 million. (Insight Partners spearheaded this investment.) On Friday, the nascent company sought to rebut these allegations via its blog, labeling the Substack entry as “deceptive” and asserting it “comprises several untrue assertions.”
The Substack piece is attributed to “DeepDelver,” who identified themselves as an employee at a (presently former) Delve customer. Replying to inquiries emailed by TechCrunch, DeepDelver stated that both they and their associates “opted for anonymity due to apprehension of retribution from Delve.”
Within their submission, DeepDelver detailed getting an email in December asserting the new company had “divulged a spreadsheet containing private client records.” Although Delve CEO Karun Kaushik reportedly guaranteed clients in a following email of their adherence and that no outside entity had obtained access to confidential information, DeepDelver indicated that they and other customers grew wary.
“Given our collective dissatisfaction with the Delve service, and sensing a general air of impropriety, we resolved to combine our resources and probe into the matter collectively,” they penned.
Their deduction? That Delve “fulfills its assertion of being the quickest platform by fabricating proof, crafting auditor findings for certification bodies that merely endorse reports, and bypassing significant framework mandates while informing clients of their complete compliance.”
DeepDelver expounded significantly on these assertions, indicting the nascent firm of supplying clients with “concocted proof of board assemblies, evaluations, and procedures that never transpired,” subsequently compelling those clients to “select between utilizing counterfeit evidence or undertaking predominantly manual tasks with minimal genuine automation or artificial intelligence.”
TechCrunch gathering
San Francisco, California
|
October 13th to 15th, 2026
DeepDelver additionally asserted that almost all of Delve’s patrons appear to have utilized two audit companies, Accorp and Gradient, which they characterized as “components of a unified enterprise,” predominantly active in India, possessing merely a symbolic foothold in the United States.
Those entities, they stated, are simply endorsing reports that originated from Delve. Consequently, DeepDelver conveyed that the nascent firm “reverses” the standard compliance framework: “By producing auditor determinations, assessment protocols, and ultimate reports prior to any unbiased scrutiny, Delve assumes the dual capacity of both executor and assessor. This is not a triviality. It represents a fundamental deceit that nullifies the complete affirmation.”
Beyond charging Delve with deceiving its clientele, DeepDelver asserted that the burgeoning company assists those clients in “misleading the populace by maintaining trust pages featuring security protocols that were never put into effect.”
DeepDelver mentioned that while their organization was addressing its concerns with Delve, the startup “dispatched several boxes of doughnuts […] to appease us.” Despite this, DeepDelver’s employer reportedly removed its trust page and no longer depends on the nascent firm for regulatory adherence.
Delve countered the allegations by declaring it does not generate compliance reports whatsoever. Rather, it functions as an “automation platform” that processes regulatory data, subsequently granting auditors access to said information.
“Conclusive reports and judgments are solely rendered by autonomous, certified auditors, not by Delve,” the corporation declared.
Delve also stated that its patrons “may elect to collaborate with an auditor of their preference or opt to engage with one from Delve’s consortium of autonomous, accredited third-party auditing entities.” These auditors, the nascent firm noted, are “well-established entities widely utilized throughout the sector, encompassing other regulatory compliance platforms.”
Addressing the charge that it furnishes clients with “simulated evidence,” Delve retorted that it merely supplies “templates designed to assist teams in documenting their procedures in alignment with compliance mandates, mirroring practices of other regulatory platforms.”
“Preliminary templates are distinct from ‘pre-populated evidence,’” the corporation affirmed.
Delve further mentioned that it is “diligently probing any data breaches” and is “presently examining the Substack content.”
When queried regarding Delve’s reply, DeepDelver informed TechCrunch that they were “perplexed by its indolence, awkwardness, and audacity.”
“They are endeavoring to evade accountability by disclaiming ‘pre-populated evidence’ and relabeling it as ‘templates’ instead, thereby effectively transferring culpability to customers for adopting the ‘templates’ without modification,” DeepDelver stated. “They assert they are not the ones to ‘release’ the report, an assertion facile to make if one defines releasing a report as affixing the conclusive approval.”
They further noted that “several highly significant accusations” were entirely ignored by Delve: “The India claim, the absence of AI (they solely discuss ‘automations’), and the trust (haha) page displaying controls that were never put into practice.”
Evidently, DeepDelver has not concluded its critique, having pledged, “Part II will be released shortly.”
Furthermore, subsequent to the initial Substack entry, an X user named James Zhou reported successfully accessing confidential data from Delve, including employee vetting records and stock vesting timetables. Jamieson O’Reilly, founder of Dvuln, divulged further specifics from what O’Reilly described as a discussion with Zhou concerning “multiple significant security flaws in Delve’s outward-facing attack perimeter.”
TechCrunch dispatched an email requesting further commentary to the press contact address enumerated on Delve’s web portal. The email was undeliverable, yet subsequent to the publication of this piece, I was issued a calendar invitation for a “Delve demonstration” scheduled for later this week.
This article was first issued on March 21, 2026. It has since been refreshed with emailed replies from DeepDelver, supplementary data regarding alleged security weaknesses furnished by Jamieson O’Reilly, and further specifics concerning Delve’s rejoinder to TechCrunch.
{content}
Source: {feed_title}