Delve accused of misleading customers with ‘fake compliance’

In a recent anonymous post on Substack, compliance startup Delve has been accused of misleading hundreds of customers regarding their compliance with privacy and security regulations. The allegations suggest that Delve’s practices could potentially expose its clients to criminal liability under the Health Insurance Portability and Accountability Act (HIPAA) and hefty fines under the General Data Protection Regulation (GDPR).

Background on Delve

Delve is a startup that gained traction through Y Combinator and recently raised $32 million in a Series A funding round, achieving a valuation of $300 million. The funding round was led by Insight Partners, highlighting the startup’s rapid growth and the interest it has garnered from investors.

The Allegations

The Substack post, authored by an individual using the pseudonym “DeepDelver,” claims to be from a former client of Delve. The author expressed concerns over the legitimacy of Delve’s compliance assurances, stating that the startup had sent out communications indicating that it had leaked sensitive client information. Despite assurances from Delve’s CEO, Karun Kaushik, that compliance was maintained and no data was compromised, the author and other clients became increasingly skeptical.

Claims of Fabricated Evidence

DeepDelver’s post alleges that Delve has been generating fake evidence to support its compliance claims. The author contends that Delve has been providing clients with fabricated documentation, including:

• Fake evidence of board meetings
• Non-existent tests and processes
• Auditor conclusions generated without proper independent review

The post further claims that clients were pressured to either accept this fabricated evidence or resort to manual compliance work, which lacked the promised automation and AI features.

Audit Firms Under Scrutiny

DeepDelver also raised concerns about the audit firms that Delve collaborates with, specifically identifying two firms, Accorp and Gradient, as being part of the same operation. The author alleges that these firms, which have a minimal presence in the United States and primarily operate in India, are merely rubber-stamping reports generated by Delve without conducting thorough independent reviews.

This practice, according to DeepDelver, inverts the typical compliance structure, as Delve supposedly positions itself as both the implementer of compliance measures and the examiner of those measures. This alleged conflict of interest raises serious questions about the validity of the compliance attestations provided to clients.

Delve’s Response

In response to the allegations, Delve issued a statement on its blog, labeling the Substack post as misleading and filled with inaccuracies. The company emphasized that it does not issue compliance reports directly. Instead, Delve describes itself as an automation platform that collects compliance information and provides it to independent auditors for review.

Delve clarified that final compliance reports and opinions are issued solely by licensed auditors, and clients have the option to work with auditors of their choice or select from Delve’s network of accredited third-party audit firms. The startup also defended its practices by stating that it offers templates to assist teams in documenting their compliance processes, differentiating these templates from the “pre-filled evidence” that DeepDelver accused them of providing.

Continued Criticism

Despite Delve’s rebuttal, DeepDelver expressed dissatisfaction with the company’s response, labeling it as lazy and evasive. The author accused Delve of attempting to evade accountability by redefining terms and shifting the blame onto customers. DeepDelver indicated that there are several serious allegations that Delve failed to address, including the accusations regarding the audit firms and the legitimacy of the security measures claimed to be in place.

Security Vulnerabilities

In addition to the compliance allegations, concerns about Delve’s security practices have surfaced. An X user named James Zhou claimed to have accessed sensitive information from Delve, including employee background checks and equity vesting schedules. This revelation was supported by Jamieson O’Reilly, founder of Dvuln, who discussed the significant security flaws in Delve’s external attack surface.

Conclusion

The situation surrounding Delve raises critical questions about compliance practices within the tech industry, particularly for startups that are rapidly scaling. As the debate continues, both Delve and its critics are likely to provide further insights and developments. The implications of these allegations could have far-reaching effects on the startup’s reputation and the trust of its clients.

Note: This article is based on the latest available information and may be subject to updates as the situation evolves.