Anonymous Substack accuses Delve of fabricating SOC 2 and HIPAA compliance audits
Mar 20, 2026
Key Points
- An anonymous Substack post accuses Delve, a compliance automation startup, of fabricating SOC 2 and HIPAA audit certifications to create plausible deniability for clients.
- Delve's claimed three-week audit turnaround contradicts legitimate SOC 2 timelines, raising suspicion that the company prioritized speed over the rigor required for valid security certifications.
- CEO posts about engineers pulling all-nighters and shipping code at 3 a.m. undermine credibility that a compliance firm would maintain the operational discipline needed for genuine audits.
Summary
An anonymous Substack post accuses Delve, a compliance automation startup, of fabricating SOC 2 and HIPAA audit certifications. The New York Times' Erin Griffith reported the accusation that Delve built "a machine designed to make clients complicit without their knowledge to manufacture plausible deniability while producing exactly the opposite."
Delve's founders appeared on Forbes' 30 Under 30 list, which has drawn broader scrutiny for its scale. The list now includes roughly 1,830 honorees annually, a significant expansion from its original 30-person format.
The fraud allegation centers on speed. Austin Pethersmith says he felt "FOMO reading about Delve customers getting it done in three weeks" while he was going through the standard SOC 2 audit process with Vanta. If the claims are true, that FOMO disappears.
Operational red flags emerged from company communications. The CEO posted in April about founding engineers on their "third all nighter," with the team "never stopped shipping." A compliance company shipping code at 3 a.m. raises questions about whether the company was prioritizing speed over the rigor required for legitimate security audits.
No formal investigation or enforcement action has been reported. The accusation remains unresolved.