Delve faces fake compliance accusations

A YC-backed compliance startup valued at $300 million is facing a public allegation that it sold customers “fake compliance” by manufacturing evidence and routing audits through what the whistleblower calls certification mills.

According to TechCrunch, an anonymous Substack author writing as “DeepDelver” claims Delve helped “hundreds” of clients present themselves as meeting security and privacy frameworks while skipping core requirements. Delve’s CEO Karun Kaushik has denied the account, saying Delve does not issue compliance reports and that “final reports and opinions are issued solely by independent, licensed auditors.”

The dispute matters because modern enterprise security has become a procurement problem before it is a technical one. SOC 2 reports, ISO 27001 certificates, and similar attestations are routinely treated as a prerequisite for selling to larger customers, signing partnerships, or even getting paid. When buyers cannot directly evaluate another company’s internal controls, they buy a document that stands in for trust. That creates a market for speed and certainty: the fastest path to a “pass” can be more valuable than the slow work of building controls that withstand scrutiny.

DeepDelver alleges Delve exploited that demand by generating evidence and audit narratives upstream of any independent testing, then pairing customers with a narrow set of audit firms. In that model, the auditor is no longer a skeptical outside reviewer but the final step in a production line. The incentive becomes to standardise paperwork so it can be reproduced across clients, because the unit economics of compliance-as-a-service depend on throughput.

Delve’s response draws a legal and operational line: it describes itself as an automation platform that collects compliance information and gives auditors access, while clients can choose any auditor or use one from Delve’s network. That distinction is crucial in a world where liability flows to the company that claims compliance, not to the software vendor that helped generate the artefacts. If a breach or regulator inquiry later reveals that controls were never implemented, the customer is the one exposed to contractual penalties and, in some jurisdictions, regulatory fines.

The broader lesson is that attestations can converge on a lowest-common-denominator equilibrium. Serious firms pay to implement controls and to be audited; less serious firms pay for the same stamp via a cheaper path; buyers treat both as equivalent because procurement checklists rarely price the difference.

In the TechCrunch account, the whistleblower says Delve once sent “multiple boxes of donuts” while a client raised concerns. The allegation is not that the paperwork failed to reassure buyers—it is that it may have done its job too well.