A Y Combinator-backed compliance startup valued at $300 million is facing serious fraud allegations. An anonymous Substack exposé claims Delve, which marketed AI-powered SOC 2, HIPAA, and GDPR certification, was generating identical audit reports, fabricating evidence of security controls, and outsourcing certifications to unaccredited overseas firms. Clients, including Wispr Flow, Lovable, and 11x, have since announced they are migrating to rival platforms. Delve has publicly disputed the claims, attributing report similarities to standard industry templates. The allegations carry significant implications: companies relying on Delve's certifications may have unwittingly presented fraudulent compliance credentials to enterprise and government clients.

In this article you’ll learn:

BY BEN SHERRY, STAFF REPORTER

Delve is in hot water following a viral Substack post filled with serious allegations.

Technology firms are distancing themselves from AI-powered compliance startup Delve following a bombshell Substack post that alleges that the company “fakes compliance while creating the appearance of compliance.” 

On March 18, an anonymous Substack account named Deepdelver published a lengthy article that claimed to have evidence that Delve had been generating “fraudulent” audit reports, lying about the security measures it implements, and fabricating “evidence of board meetings, tests, and processes that never happened.” The post claims that Delve “scammed” hundreds of clients including Lovable, Cluely, and Wispr Flow. Delve did not respond to Inc.’s request for a comment.

Delve was founded in 2023 by Gen-Z entrepreneurs Karun Kaushik and Selin Kocalar, and was part of Y Combinator’s winter 2024 batch. The company promised to use “agentic AI” to speed through compliance certification in days rather than weeks or months. 

For companies looking to contract with major entities like large enterprises and governments, being in compliance with industry standards like SOC 2, ISO 27001, HIPAA, and GDPR can make the difference between an RFP win and loss. CPA firms review a company’s security practices and controls, then issue a report verifying that the company is in compliance with a given standard. 

Delve’s unique selling point has been that it uses AI agents to speed up the lengthy and tedious process of collecting evidence, writing reports, and monitoring compliance gaps. In January 2026, Kocalar told Inc. that Delve had over 1,000 customers in over 50 countries and had helped those clients land “nine-figure deals and federal contracts.” In July, the company raised $32 million at a $300 million valuation. 

But according to the anonymous report, Delve may not have been providing the services it advertised. The report alleges that in December, “a few hundred” clients (including the anonymous author’s workplace) received messages that their audit reports had been leaked through a publicly-accessible Google Sheet. When Delve’s leadership denied that a breach had taken place, the author wrote, security employees across companies began investigating Delve. 

Deepdelver claims this investigation revealed that Delve is using “Indian certification mills” to rubber stamp compliance reports that haven’t been properly verified, and that the product barely has anything to do with AI at all; instead it supposedly relies on “pre-populated templates, manual forms, and fabricated evidence.” 

In addition, Deepdelver wrote that Delve’s platform will generate Trust Pages (webpages detailing a company’s compliance certifications) with false information, like claiming that a company is compliant with standards that cannot be enforced through the platform. The company advertises itself as using AI to customize these pages to each company’s specific compliance situation, but the author claims all of the information is pre-written, and is the same no matter which company is using the platform.

“Seriously,” Deepdelver wrote, “becoming compliant with Delve is nothing more than clicking through a bunch of pre-populated forms and accepting everything.” 

In December, Delve clients received an email containing a spreadsheet that allegedly contained hundreds of leaked SOC 2 reports. In their email, the anonymous leaker revealed that all of the reports were “identical.” Kaushik, Delve’s CEO, confirmed the leak a few days later, but assured the clients that they were in compliance “and there is no impact to the validity of your audit report.” 

The Substack expose included comparisons of the allegedly-leaked SOC 2 reports, with Deepdelver noting that every report contained the exact same language when describing the effectiveness of a certain security procedure. 

On March 20, Delve released a blog post refuting much of Deepdelver’s claims. The company wrote that it is misleading to claim that Delve uses templates to fill out the majority of its reports, since “most modern compliance platforms allow clients to adopt a fixed control set based on widely accepted standards,” and as a result, overlap between reports is expected. 

The company said that these templates are “starting points only,” and that customers are responsible for “reviewing, modifying, and finalizing their own materials.” Delve also pushed back on the claim that it relies on Indian “certification mills” to speed up the compliance process, writing that “Delve customers can opt to work with an auditor of their choosing or opt to work with one from Delve’s network of independent, accredited third-party audit firms.” 

These third-party firms are “used broadly across the industry, including by other compliance platforms,” according to Delve.  

There are still several questions about the origin of the Substack report; some have speculated that the author could be connected to one of Delve’s competitors. The article also shows some telltale signs of AI-generated writing, such as frequent section breaks and a reliance on bullet points. But that hasn’t stopped former clients from loudly announcing their intentions to abandon the platform.

On X, popular vibe coding platform Lovable confirmed that it had been a Delve client, but had changed vendors in late 2025, before the controversy. Previously, Lovable had been featured on Delve’s website as a notable customer, but all references to clients have now been scrubbed from the page. In a statement, Lovable said: “Lovable is not a Delve customer. The company proactively transitioned away from Delve to Vanta in Q4 2025, prior to the recent public attention on Delve.” 

In a March 19 blog post, Wispr Flow chief technology officer Sahaj Garg said that the company launched a “comprehensive internal audit.” He said that gaps were found “between policy and implementation,” and that “remediation is already underway.” Garg added that they had hired Drata, a Delve rival used by Wiz, Linkedin, and Brex. Wispr Flow did not respond to a request for comment.

Bland, a Delve client that is building AI agents for phone calls, posted on X that “out of an abundance of caution, we are contracting an independent auditor to review all materials and confirm our controls are sound.” And Prabhav Jain, CEO of AI-powered sales rep company 11x, confirmed on X that his company had contracted with Delve starting in late 2024, but said that “we’ll obviously be moving to a different provider” for compliance monitoring in 2026. Neither Bland nor 11x responded to a request for comment.