Controversy Surrounds Compliance Startup Delve

Delve, a compliance startup, has found itself at the center of a controversy after allegations surfaced that it misled clients about their compliance with privacy and security regulations.

Parting Ways with Y Combinator and Insight Partners

The controversy appears to have cost Delve its relationship with accelerator Y Combinator. Delve is no longer listed among YC’s directory of portfolio companies, and the Delve page seems to have been removed from the YC website. In addition, the startup’s COO Selin Kocalar posted on X that “YC and Delve have parted ways.”

“I still remember the day we took our YC interview at MIT,” Kocalar said. “We’re so grateful to the community and every founder friend we’ve made.”

YC isn’t the first investor to distance themselves from Delve. Insight Partners also appears to have deleted posts about its investment in the company, although its primary blog post was later restored.

Allegations of Misrepresentation

Meanwhile, Delve continues to push back against anonymous claims that it misled clients by telling them they were compliant with privacy and security regulations while allegedly skipping important requirements and auto-generating reports for “certification mills that rubber stamp reports.”

Those claims were first published in an anonymous Substack post attributed to “DeepDelver,” who described themselves as a former Delve customer who became suspicious after receiving leaked data about the startup’s clients.

DeepDelver published subsequent posts sharing what they said were Slack and video posts from the company, as well as accusing Delve of passing off an open source tool as its own, without giving credit or reaching an agreement with the developer. A security researcher also said he was able to access sensitive Delve data.

• Delve claims that the company has hired a cybersecurity firm “to help us understand what happened,” and said the “evidence points to a malicious attack rather than a genuine whistleblower.”
• The company also described DeepDelver’s criticism as “a mix of fabricated claims, cherry-picked screenshots, and data taken out of context.”
• Delve said it “built on an Apache 2.0 open-source repository, which explicitly permits commercial use, and significantly rebuilt it for compliance use cases.”

Steps to Regain Customer Trust

Delve executives also said they’ve been taking steps to ensure customers “feel confident in our platform and compliance outcomes.” These steps supposedly include cleaning up the company’s network to remove auditing firms “that don’t meet our standards,” “offering complimentary re-audits and penetration tests to all active customers,” and making it “unambiguously clear” that Delve's templates for things like board meeting notes “are designed to be starting points only.”

In a post on X, Kaushik made many of the same points but also said, “[W]e grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused.”