When the Compliance Company Isn't Compliant: The Delve Story

That's exactly what played out with Delve, a Y Combinator-backed compliance startup that spent the better part of 2025 convincing hundreds of companies they were compliant with SOC 2, ISO 27001, and various privacy regulations. The story started unraveling in March 2026 when an anonymous whistleblower, writing on Substack under the name "DeepDelver," published what they described as a firsthand account of what was really happening inside Delve's platform.

The allegations: Delve was telling customers they were compliant when they weren't. Auto-generating reports. Using "certification mills" that turned out to be auditing firms that rubber-stamp reports without doing meaningful work. Building a business model on the appearance of security rather than the substance of it.

The customers, many of them startups themselves, trusting a peer in the ecosystem, a fellow YC portfolio company, were left holding compliance certifications that may not be worth the paper they're printed on.

This Is Not a New Problem. It's an Old Pattern.

I've written before about the compounding cost of technical debt. How organizations that skip security fundamentals in the name of speed eventually face a reckoning they didn't budget for. The Delve story is a variant of that same disease, except the debt wasn't accrued through benign negligence. It was, if the allegations prove accurate, a deliberate business decision.

The "move fast and figure it out later" culture of startups doesn't just produce messy codebases and unpatched dependencies. Sometimes it produces companies that decide the shortcut is to fake the outcome entirely.

Speed over substance. Growth metrics over customer integrity. Investor optics over operational truth.

We've seen this pattern before. And the customer always pays.

What the Whistleblower Found

The DeepDelver Substack posts painted a detailed picture. The whistleblower claimed to have become suspicious after receiving leaked data about Delve's client base found in a misconfigured Google Spreadsheet that contained links to hundreds of confidential draft SOC 2 and ISO 27001 audit reports. That alone is an extraordinary security failure for a company whose entire value proposition is security compliance.

The posts alleged that Delve's AI was being used not to streamline genuine compliance work, but to auto-generate the appearance of it by skipping requirements, producing templated outputs, and routing customers to auditors who would sign off without the scrutiny of an actual audit.

Then came the secondary allegations. Delve had reportedly built a product it called "Pathways,” a no-code workflow tool it pitched to prospects as proprietary. A whistleblower recognized it as a near-identical fork of an open-source tool called SimStudio, built by Sim.ai. Not only had Delve allegedly taken the open-source project without proper credit or license attribution, it had done so to a company that was simultaneously a paying Delve customer. Sim.ai's founder, Emir Karabeg, confirmed to TechCrunch that Delve had no license agreement with Sim.ai whatsoever.

The irony writes itself: a compliance company, allegedly out of compliance with the most basic software licensing obligations, selling compliance to others.

The Investor and Accelerator Response

Within weeks, the fallout was visible at the institutional level. Insight Partners, which had led a $32 million Series A investment in Delve in 2025, quietly scrubbed its blog posts and LinkedIn announcements about the investment. Y Combinator removed Delve from its portfolio directory and asked the founders to leave the program. Delve's COO, Selin Kocalar, confirmed the split in a post on X.

This is significant. YC doesn't quietly part ways with portfolio companies over misunderstandings. And Insight Partners doesn't delete investment announcements because a whistleblower posted something they could easily rebut.

When money gets quiet, it's usually telling you something.

Delve's Response: A Case Study in Crisis Management (Done Wrong)

Delve's leadership issued a blog post declaring they would "set the record straight on anonymous attacks." They claimed a cybersecurity firm they hired concluded the evidence "points to a malicious attack rather than a genuine whistleblower." They characterized DeepDelver's posts as "a mix of fabricated claims, cherry-picked screenshots, and data taken out of context."

CEO Karun Kaushik did make one admission on X that stood out: "We grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused."

Calling the potential invalidation of your customers' security certifications an "inconvenience" may be the most tone-deaf line in recent startup history. These aren't inconvenienced customers. These are organizations that made security decisions, hiring decisions, vendor decisions, board-level assurances, and more based on compliance certifications they believed were real. Customers of these companies made purchasing decisions based on the compliance reports these vendors thought were legitimate.

If those certifications were rubber-stamped, those organizations may now face real regulatory exposure, failed audits, and conversations with customers and partners they are not prepared to have.

The Real Victim: Your Customers

Here's what I want every founder, every product leader, and every board member to sit with for a moment.

Delve's customers didn't fail. They did what you're supposed to do. They identified a compliance need, vetted a vendor, paid for a solution, and received documentation that said they were compliant. They trusted the system. They believed that the vendor knew best how to solve a problem.

The system failed them.

That's the part that gets lost in the drama of a whistleblower story and a YC expulsion. The conversation becomes about founders and investors and reputations. But somewhere out there are dozens, maybe hundreds of companies right now whose SOC 2 reports may not reflect reality. Companies that told their own customers they were compliant. Companies that are carrying liability they don't know about yet.

This is what happens when the growth imperative outweighs the integrity imperative. And it doesn't just happen at Delve. It happens anywhere the incentive to show results is stronger than the incentive to do the work.

What This Should Tell Security and Compliance Buyers

The Delve story is a reminder that vendor due diligence isn't optional even when the vendor is a fellow startup, a YC alum, or comes with a well-known VC name on the cap table. Especially then, actually, because the halo effect of prestigious backers can suppress the skepticism that should be standard practice.

A few questions every organization should be asking before trusting any compliance vendor:

Who is actually doing the audit? A software platform that streamlines compliance is not the same as a qualified auditor performing an independent assessment. Know who is signing the reports and verify their credentials.

What does "AI-assisted compliance" actually mean in practice? AI can accelerate legitimate compliance work. It can also automate the generation of worthless paperwork. Ask for specifics on what the AI does, what a human reviews, and what the auditor independently validates.

Can you see the audit work papers? Real audits leave evidence trails. If your compliance vendor can't show you the substantive work behind the report, that's a red flag.

What happens if your certification is challenged? If a regulator, a customer, or an insurance carrier questions your compliance status, can your vendor support you with documentation? What are their contractual obligations if their work is found deficient?

Is the auditing firm independent? The term "certification mill" exists for a reason. Auditors that routinely work with a single compliance platform without meaningful independence are a structural conflict of interest.

The Bigger Pattern We Keep Ignoring

Delve is a cautionary tale, but it is not a unique one. The compliance-as-a-service market has exploded in the past five years, driven by the real and growing demand for SOC 2, ISO 27001, HIPAA, and GDPR certifications. Startups need these certifications to close enterprise deals. The market has responded by building an entire ecosystem designed to make compliance faster, cheaper, and easier.

Faster, cheaper, and easier compliance is not inherently a problem. Legitimate automation genuinely does reduce the burden of compliance for small and mid-sized organizations. But when "faster, cheaper, and easier" becomes the product rather than a means to the outcome, you end up with a market that rewards the appearance of compliance over the substance of it.

And the customers — the ones who needed real protection — are the ones left exposed.

This is a market integrity problem. And it won't be solved by one whistleblower Substack post, no matter how well-documented. It will be solved when buyers get more sophisticated, when auditing firms take their independence obligations seriously, and when investors stop treating compliance shortcuts as acceptable growth tactics.

A Final Word on Integrity

There's a version of the Delve story where the founders made some genuinely bad decisions under the pressure of hypergrowth and investor expectations, and a version where the deception was more deliberate. I don't know which version is true, and neither do you. The facts are still emerging.

What I do know is this: the cybersecurity and compliance industry is fundamentally built on trust. When you buy a security solution or a compliance certification, you are trusting that the vendor is telling you the truth. That trust is the entire product. You can't have a functioning security ecosystem without it.

Startups that treat that trust as an obstacle to growth, rather than the foundation of their business, will eventually face the reckoning Delve is facing now. The whistleblower always comes. The spreadsheet always leaks. The auditor's independence always gets questioned.

The only question is whether your customers are collateral damage when it happens.

That's a question every founder in this space should be asking themselves right now.

The latest Substack article outlines Delve’s response to its customers – a clandestine trip to Hawaii using the dollars stolen from its customers and investors! And the real meat of the story hasn’t dropped yet. If your business was impacted by the Delve deceptions, don’t wait. Request a refund here.. Then reach out to a professional with the experience needed to get your trust program back on track. I am happy to help guide you in your recovery process. Schedule a thirty minute discovery call here.

Sources: