Delve, a Y Combinator-backed compliance startup, is facing serious allegations that it fabricated compliance certifications for hundreds of clients, raising broader concerns about the reliability of artificial intelligence (AI)-driven audit tools.
A March 19 investigation published on Substack by DeepDelver claimed that a leaked spreadsheet revealed hundreds of draft compliance reports that may not have undergone proper auditing.
Founded in 2023 by Karun Kaushik and Selin Kocalar, the startup is headquartered in San Francisco and is part of the Y Combinator Winter 2024 batch.
Delve is part of a new wave of startups using AI agents to automate back-office functions such as security compliance. Its platform helps companies obtain certifications like SOC 2, ISO 27001, HIPAA, and GDPR, which are standards widely used to demonstrate data security and regulatory adherence.
These certifications are critical for startups looking to win enterprise customers, as they signal that a company meets accepted security and privacy benchmarks.
The company has taken down website pages that discuss case studies and client testimonials, as verified by ET.
What’s being alleged
The investigation raises multiple red flags about how these reports were generated. It said most SOC 2 reports reportedly relied on the same template, with identical wording, structure, and even grammatical errors, with only company-specific details changed.
Additionally, audit conclusions were allegedly written in advance, before any review of evidence. Reports consistently showed zero security incidents, no staff changes, and no operational issues, an outcome experts say is highly unlikely in real-world scenarios.
The “US-based auditors” advertised by Delve were allegedly outsourced firms operating from India through US-registered shell entities, raising questions about independence and oversight.
The report also claimed that Delve’s platform generated ready-made compliance documents, including risk assessments, board minutes, and security reports that clients could adopt with minimal changes.
Further, while Delve marketed integrations with tools like cloud platforms and code repositories, the investigation alleged that many of these were manual uploads, such as screenshots, rather than real-time API integrations, limiting their ability to demonstrate continuous compliance.
Delve CEO reacts
Delve CEO Karun Kaushik has denied the allegations, calling them “falsified” and “AI-generated.” He maintained that no sensitive data was exposed, even as reports reportedly contained private signatures and confidential architectural diagrams.
Separately, AI startup Lovable stated that it is not a Delve customer after being linked to the controversy in online discussions.
Why it matters
Compliance certifications like SOC 2 and ISO 27001 are designed to ensure that companies follow robust security and data protection practices. If these processes are compromised, it could have serious consequences.
Companies relying on such certifications could face legal and financial risks, including potential liability under HIPAA and fines of up to 4% of global revenue under the General Data Protection Regulation (GDPR) for violations they believed had been addressed.
Per Y Combinator's website, Delve has worked with over 1,500 companies, helping them achieve certification four times faster than traditional methods.
A March 19 investigation published on Substack by DeepDelver claimed that a leaked spreadsheet revealed hundreds of draft compliance reports that may not have undergone proper auditing.
Founded in 2023 by Karun Kaushik and Selin Kocalar, the startup is headquartered in San Francisco and is part of the Y Combinator Winter 2024 batch.
Delve is part of a new wave of startups using AI agents to automate back-office functions such as security compliance. Its platform helps companies obtain certifications like SOC 2, ISO 27001, HIPAA, and GDPR, which are standards widely used to demonstrate data security and regulatory adherence.
These certifications are critical for startups looking to win enterprise customers, as they signal that a company meets accepted security and privacy benchmarks.
The company has taken down website pages that discuss case studies and client testimonials, as verified by ET.
What’s being alleged
The investigation raises multiple red flags about how these reports were generated. It said most SOC 2 reports reportedly relied on the same template, with identical wording, structure, and even grammatical errors, with only company-specific details changed.
Additionally, audit conclusions were allegedly written in advance, before any review of evidence. Reports consistently showed zero security incidents, no staff changes, and no operational issues, an outcome experts say is highly unlikely in real-world scenarios.
The “US-based auditors” advertised by Delve were allegedly outsourced firms operating from India through US-registered shell entities, raising questions about independence and oversight.
The report also claimed that Delve’s platform generated ready-made compliance documents, including risk assessments, board minutes, and security reports that clients could adopt with minimal changes.
Further, while Delve marketed integrations with tools like cloud platforms and code repositories, the investigation alleged that many of these were manual uploads, such as screenshots, rather than real-time API integrations, limiting their ability to demonstrate continuous compliance.
Delve CEO reacts
Delve CEO Karun Kaushik has denied the allegations, calling them “falsified” and “AI-generated.” He maintained that no sensitive data was exposed, even as reports reportedly contained private signatures and confidential architectural diagrams.
Separately, AI startup Lovable stated that it is not a Delve customer after being linked to the controversy in online discussions.
Why it matters
Compliance certifications like SOC 2 and ISO 27001 are designed to ensure that companies follow robust security and data protection practices. If these processes are compromised, it could have serious consequences.
Companies relying on such certifications could face legal and financial risks, including potential liability under HIPAA and fines of up to 4% of global revenue under the General Data Protection Regulation (GDPR) for violations they believed had been addressed.
Per Y Combinator's website, Delve has worked with over 1,500 companies, helping them achieve certification four times faster than traditional methods.
