In a recent anonymous post on Substack, a compliance startup known as Delve has faced accusations of misleading clients regarding their adherence to privacy and security standards. The claims suggest that Delve may have inadvertently put its customers at risk of legal repercussions under regulations such as HIPAA and GDPR.
Delve, a startup supported by Y Combinator, had previously announced a successful $32 million Series A funding round, leading to a valuation of $300 million. In response to the allegations, Delve published a statement on its blog, labeling the Substack post as "misleading" and asserting that it contained several inaccuracies.
The author of the Substack post, who identifies as "DeepDelver," claims to have been affiliated with a former Delve client. They recounted an incident from December when an email revealed a potential data leak involving confidential client information. Despite assurances from Delve's CEO, Karun Kaushik, regarding compliance, clients reportedly began to question the startup's practices.
DeepDelver described their experience as underwhelming and expressed concerns about the authenticity of Delve's compliance claims. They alleged that the startup may be fabricating evidence to demonstrate compliance, including producing false documentation and bypassing essential regulatory requirements while assuring clients of their compliance status.
Further allegations included claims that Delve's clients were being funneled through two audit firms, Accorp and Gradient, which DeepDelver suggested were part of a coordinated effort to rubber-stamp compliance reports generated by Delve. This, they argued, undermines the integrity of the compliance process by allowing Delve to act as both the implementer and evaluator of compliance measures.
In addition to these serious claims, DeepDelver asserted that Delve was misleading the public by hosting trust pages that showcased security measures that were never put into practice. As a result, their own company decided to discontinue its relationship with Delve and remove its trust page.
Delve has countered these allegations by clarifying that it does not issue compliance reports. Instead, it acts as an automation platform that provides auditors with necessary information, allowing clients to choose their auditors from a network of accredited firms. Delve emphasized that final reports are solely produced by independent, licensed auditors, and it is committed to investigating any potential data leaks.
As the landscape of compliance technology evolves, the implications of these allegations highlight the importance of transparency and accountability within the industry. Ensuring genuine compliance not only safeguards clients but also fosters trust in the technology that supports critical regulatory frameworks.