Delve Accused Of Misleading Customers With ‘fake Compliance’

An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers they were compliant” pinch privateness and information regulations, perchance exposing those customers to “criminal liability nether HIPAA and hefty fines nether GDPR.”

Delve is simply a Y Combinator-backed startup that past twelvemonth announced raising a $32 cardinal Series A astatine a $300 cardinal valuation. (The information was led by Insight Partners.) On Friday, nan startup attempted to refute nan accusations pinch on its blog, calling nan Substack station “misleading” and saying it “contains a number of inaccurate claims.”

The Substack station is credited to “DeepDelver,” who described themselves arsenic moving astatine a (now former) Delve client. 

DeepDelver recounted receiving an email successful December claiming nan startup had “leaked a spreadsheet pinch confidential customer reports.” While Delve CEO Karun Kaushik apparently assured customers successful a consequent email that they were successful compliance and that nary outer statement gained entree to delicate data, DeepDelver said they and different customers had go suspicious.

“Having nan shared acquisition of being underwhelmed pinch nan Delve experience, and having nan wide consciousness that thing fishy was going on, we decided to excavation resources and analyse together,” they wrote.

Their conclusion? That Delve “achieves its declare of being nan fastest level by producing clone evidence, generating auditor conclusions connected behalf of certification mills that rubber stamp reports, and skipping awesome model requirements while telling clients they person achieved 100% compliance.”

DeepDelver went into sizeable item astir those claims, accusing nan startup of providing customers pinch “fabricated grounds of committee meetings, tests, and processes that ne'er happened,” past forcing those customers to “choose betwixt adopting clone grounds aliases performing mostly manual activity pinch small existent automation aliases AI.”

DeepDelver besides claimed that virtually each of Delve’s clients look to person gone done 2 audit firms, Accorp and Gradient, which they described arsenic “part of nan aforesaid operation,” 1 that operates chiefly successful India, pinch only a nominal beingness successful nan United States.

Those firms, they said, are conscionable rubber-stamping reports that were generated by Delve. As a result, DeepDelver said nan startup “inverts” nan normal compliance structure: “By generating auditor conclusions, trial procedures, and last reports earlier immoderate independent reappraisal occurs, Delve places itself successful nan domiciled of some implementer and examiner. This is not a technicality. It is simply a structural fraud that invalidates nan full attestation.”

In summation to accusing Delve of misleading its customers, DeepDelver said nan startup is helping those customers “mislead nan nationalist by hosting spot pages that incorporate information measures that were ne'er implemented.” 

As for its ain narration pinch Delve, DeepDelver said their institution has unpublished its spot page and nary longer relies connected nan startup for compliance.

Delve responded to nan accusations by saying it does not rumor compliance reports astatine all. Instead, it’s an “automation platform” that ingests accusation astir compliance, past provides auditors pinch entree to that information.

“Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” nan institution said.

Delve besides said that its customers “can opt to activity pinch an auditor of their choosing aliases opt to activity pinch 1 from Delve’s web of independent, accredited third-party audit firms.” Those firms, nan startup said, are “established firms utilized broadly crossed nan industry, including by different compliance platforms.”

In consequence to nan accusation that it’s providing customers pinch “fake evidence,” Delve countered that it’s simply offering “templates to thief teams archive their processes successful accordance pinch compliance requirements, arsenic do different compliance platforms.”

“Draft templates are not nan aforesaid arsenic ‘pre-filled evidence,” nan institution said.

Delve added that it is “actively investigating immoderate leaks” and is “still reviewing nan Substack.”

TechCrunch sent an email seeking further remark to nan media interaction reside listed connected Delve’s website; nan email bounced. We person besides reached retired to DeepDelver for further comment.