Delve accused of misleading customers with ‘fake compliance’

An anonymous Substack post published this week accuses compliance startup Delve of “falsely” convincing “hundreds of customers they were compliant” with privateness and information regulations, perchance exposing those customers to “criminal liability nether HIPAA and hefty fines nether GDPR.”

Delve is simply a Y Combinator-backed startup that past twelvemonth announced raising a $32 cardinal Series A astatine a $300 cardinal valuation. (The circular was led by Insight Partners.) On Friday, the startup attempted to refute the accusations with on its blog, calling the Substack station “misleading” and saying it “contains a fig of inaccurate claims.”

The Substack station is credited to “DeepDelver,” who described themselves arsenic moving astatine a (now former) Delve client. 

DeepDelver recounted receiving an email successful December claiming the startup had “leaked a spreadsheet with confidential lawsuit reports.” While Delve CEO Karun Kaushik seemingly assured customers successful a consequent email that they were successful compliance and that nary outer enactment gained entree to delicate data, DeepDelver said they and different customers had go suspicious.

“Having the shared acquisition of being underwhelmed with the Delve experience, and having the wide consciousness that thing fishy was going on, we decided to excavation resources and analyse together,” they wrote.

Their conclusion? That Delve “achieves its assertion of being the fastest level by producing fake evidence, generating auditor conclusions connected behalf of certification mills that rubber stamp reports, and skipping large model requirements portion telling clients they person achieved 100% compliance.”

DeepDelver went into sizeable item astir those claims, accusing the startup of providing customers with “fabricated grounds of committee meetings, tests, and processes that ne'er happened,” past forcing those customers to “choose betwixt adopting fake grounds oregon performing mostly manual enactment with small existent automation oregon AI.”

DeepDelver besides claimed that virtually each of Delve’s clients look to person gone done 2 audit firms, Accorp and Gradient, which they described arsenic “part of the aforesaid operation,” 1 that operates chiefly successful India, with lone a nominal beingness successful the United States.

Those firms, they said, are conscionable rubber-stamping reports that were generated by Delve. As a result, DeepDelver said the startup “inverts” the mean compliance structure: “By generating auditor conclusions, trial procedures, and last reports earlier immoderate autarkic reappraisal occurs, Delve places itself successful the relation of some implementer and examiner. This is not a technicality. It is simply a structural fraud that invalidates the full attestation.”

In summation to accusing Delve of misleading its customers, DeepDelver said the startup is helping those customers “mislead the nationalist by hosting spot pages that incorporate information measures that were ne'er implemented.” 

As for its ain narration with Delve, DeepDelver said their institution has unpublished its spot leafage and nary longer relies connected the startup for compliance.

Delve responded to the accusations by saying it does not contented compliance reports astatine all. Instead, it’s an “automation platform” that ingests accusation astir compliance, past provides auditors with entree to that information.

“Final reports and opinions are issued solely by independent, licensed auditors, not Delve,” the institution said.

Delve besides said that its customers “can opt to enactment with an auditor of their choosing oregon opt to enactment with 1 from Delve’s web of independent, accredited third-party audit firms.” Those firms, the startup said, are “established firms utilized broadly crossed the industry, including by different compliance platforms.”

In effect to the accusation that it’s providing customers with “fake evidence,” Delve countered that it’s simply offering “templates to assistance teams papers their processes successful accordance with compliance requirements, arsenic bash different compliance platforms.”

“Draft templates are not the aforesaid arsenic ‘pre-filled evidence,” the institution said.

Delve added that it is “actively investigating immoderate leaks” and is “still reviewing the Substack.”

TechCrunch sent an email seeking further remark to the media interaction code listed connected Delve’s website; the email bounced. We person besides reached retired to DeepDelver for further comment.