A Substack post by DeepDelver alleges that Delve misled hundreds of customers into believing they were compliant with privacy and security rules, potentially exposing those customers to criminal liability under HIPAA and fines under GDPR.
KEY FACTS
- Allegation An anonymous Substack post accuses the company of fabricating compliance evidence
- Scope The post says hundreds of customers were affected
- Auditors The post names two audit firms, Accorp and Gradient, as largely involved
- Company position The company’s blog response frames the product as an automation platform and not an issuer of final reports
The report recounts a December email claiming a leaked spreadsheet and notes a later company message that assured customers no external access occurred. Customers then pooled resources and investigated the platform’s processes.
The report alleges the platform produced prefilled or fabricated evidence, generated auditor conclusions before independent review, and skipped major framework requirements. The post identifies two audit firms that it describes as effectively rubber stamping reports and having limited U.S. presence.
The report also alleges that public trust pages hosted by the company listed controls that were never implemented. One customer reportedly unpublished its trust page and stopped relying on the service. The post includes an anecdote about the company sending boxes of donuts while issues were discussed.
The company blog response linked above includes the lines “Final reports and opinions are issued solely by independent, licensed auditors, not Delve” and “Draft templates are not the same as ‘pre-filled evidence’” and describes the product as an automation platform that gives auditors access to customer information.
Following the post, an X user reported access to sensitive items such as employee background checks and equity schedules. A security researcher shared additional details about alleged gaps in the external attack surface. An email to the listed media contact bounced and a calendar invite for a demo arrived after publication.
WHY IT MATTERS
If the allegations are accurate customers and their partners could face regulatory penalties and legal exposure. Key details remain unverified and the disclosure and the company response will determine whether auditors and regulators need to investigate further.

