Delve, a SOC 2 compliance startup, faces allegations of fabricating audit reports

Summary

Delve, a SOC 2 and HIPAA compliance automation startup, faces allegations that it fabricated audit reports and deliberately obscured its methods to make clients complicit without their knowledge. An anonymous Substack—published under the account "DeepDelver" and professionally presented with article backups and whistleblower contact channels—laid out the claims in detail. The New York Times' Erin Griffith amplified the core accusation: Delve "built a machine designed to make clients complicit without their knowledge to manufacture plausible deniability while producing exactly the opposite."

Delve has worked with clients including Lovable and Cluely. The startup's pitch centered on using AI and speed to compress what is typically a grueling, months-long compliance process. According to the allegations, that speed came from cutting corners: duplicating reports, falsifying documentation, and architecting the entire process to obscure its methods from customers.

The story gained traction partly because both Delve founders appeared on Forbes' 30 Under 30 list—a credential that has become a lightning rod for credibility questions after multiple high-profile frauds involved 30 Under 30 honorees. The juxtaposition amplified the narrative: young founders, prestigious recognition, allegations of systematic deception.

Austin Pethersmith, who has been navigating SOC 2 certification with Vanta (a podcast sponsor), noted the irony: reading about Delve customers completing the process in three weeks while he grinds through the legitimate version would have been tempting—if the allegations weren't true. One screenshot from a Delve CEO post from April showed a founder working his "third all nighter," which prompted pushback about whether a compliance and security company should be shipping code at 3 a.m. at all.

The allegations are serious and one-sided at this point. The story is clearly ongoing.