Home Docks Spotlight
Services New
VC Hub Coming Soon
Events Coming Soon
Articles Support Feedback
Rules Privacy About
Discord Reddit

© 2026 Desifounder.com

Analysis
m

Delve, a YC-backed compliance startup that raised $32 million, has been accused of systematically faking SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients

Delve built a machine designed to make clients complicit without their knowledge, to manufacture plausible deniability while producing exactly the opposite.

According to a detailed Substack investigation by DeepDelver, a leaked Google spreadsheet containing links to hundreds of confidential draft audit reports revealed that Delve generates auditor conclusions before any auditor reviews evidence, uses the same template across 99.8% of reports, and relies on Indian certification mills operating through empty US shells instead of the "US-based CPA firms" they advertise.

Audit Integrity & Independence

  • Delve breaches AICPA/ISO rules by acting as auditor, generating pre-drafted assessments, tests, and conclusions
  • Delve relies on audit firms that rubber stamp reports because genuine independent verification would expose the evidence as fabricated or deficient
  • Named leadership (Karun Kaushik, Selin Kocalar, Charles Nwatu, Taher Lokhandwala, Isaiah de la Fuente, Varun Gurnaney) is complicit in intentional misconduct

Misrepresentation to Customers

  • Delve misleads clients by claiming reports are produced by US-based CPA firms, when in reality they are produced by Delve and rubber stamped by Indian certification mills
  • Delve leads clients to believe they are compliant when they are not
  • Delve helps clients mislead the public by hosting trust pages that contain security measures that were never implemented
  • Delve lies to clients when directly questioned, denying documented facts about the leak and report generation
  • Delve markets AI-driven automation while the product is practically devoid of AI, relying on pre-populated templates, manual forms, and fabricated evidence

Product & Process Deficiencies

  • Delve’s product is unable to get companies truly compliant
  • Delve’s platform forces companies to choose between adopting fake evidence or performing mostly manual work with little real automation
  • Unable to deliver real compliance through its platform, Delve depends on fraudulent auditors who rubber stamp reports for clients, falling back on off-platform manual work with external vCISOs and good auditors only when complaints or profile threaten its business interests

Regulatory & Compliance Risk

  • Delve’s process results in clients violating GDPR and HIPAA requirements, exposing them to criminal liability under HIPAA and fines up to 4% of global revenue under GDPR
  • Companies relying on Delve face regulatory, contractual, and reputational risk

The above individuals knowingly participated in Delve's deliberate misconduct regarding audit practices.

Delve Team

Delve was founded in 2023 by Karun Kaushik and Selin Kocalar, both Forbes 30 Under 30 members and MIT dropouts who met as freshmen. They started with a medical AI scribe, pivoted to compliance after hitting HIPAA headaches themselves, and went through Y Combinator in 2024.1

In July 2025, Delve raised $32 million in Series A funding led by Insight Partners. Before that they had raised a $3.3 million seed round and went through Y Combinator.

Delve’s pitch is speed through AI. They claim to get companies compliant in days rather than months, using what they call “agentic AI” through an “AI-native” platform.

Their marketing promises AI agents that automatically collect evidence, write reports, and monitor compliance gaps without human busywork.

Who it affects

Compliance exists so that when a startup says “we’re SOC 2 certified,” or “HIPAA compliant,” or “GDPR compliant,” a hospital or a bank or a defense contractor can trust that claim enough to share data. When that trust is manufactured instead of earned, the damage doesn’t stop at the company that bought the report. It flows downstream to their customers, their customers’ customers, and eventually to individuals whose medical records, financial data, or personal information ends up exposed because someone cut corners.

HIPAA and GDPR weren’t created as paperwork exercises. They exist because criminals actively want health records to sell, identities to steal, and systems to ransom. Faking compliance doesn’t just violate some abstract professional code. It leaves actual people unprotected against actual threats.

Delve’s clients are in an impossible position. They paid for expertise they didn’t get, received platforms showing 100% completion that meant nothing, and were handed the same pre-fabricated evidence as a thousand other companies. They were told this was how compliance worked now: fast, automated, handled. They published trust pages broadcasting security measures they never implemented, because Delve said those pages were accurate. Now they face liability for representations they made in good faith, based on assurances that turned out to be lies.

That is where the anger should go. Delve built a machine designed to make clients complicit without their knowledge, to manufacture plausible deniability while producing exactly the opposite.

Source: X

2
1
100%
Login to join the Conversation
m

Key Points

  • 493 out of 494 leaked SOC 2 reports allegedly contain identical boilerplate text, including the same grammatical errors and nonsensical sentences, with only a company name, logo, org chart, and signature swapped in
  • Auditor conclusions and test procedures are reportedly pre-written in draft reports before clients even provide their company description, which would violate AICPA independence rules requiring auditors to independently design tests and form conclusions
  • All 259 Type II reports claim zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents during the observation period, with identical "unable to test" conclusions across every client
  • Delve's "US-based auditors" are actually Accorp and Gradient, described as Indian certification mills operating through US shell entities. 99% of clients reportedly went through one of these two firms over the past 6 months
  • The platform allegedly publishes fully populated trust pages claiming vulnerability scanning, pentesting, and data recovery simulations before any compliance work has been done
  • Delve pre-fabricates board meeting minutes, risk assessments, security incident simulations, and employee evidence that clients can adopt with a single click, according to the author
  • Most "integrations" are just containers for manual screenshots with no actual API connections. The author describes the platform as a "SOC 2 template pack with a thin SaaS wrapper"
  • When the leak was exposed, CEO Karun Kaushik emailed clients calling the allegations "falsified claims" from an "AI-generated email" and stated no sensitive data was accessed, while the reports themselves contained private signatures and confidential architecture diagrams
  • Companies relying on these reports could face criminal liability under HIPAA and fines up to 4% of global revenue under GDPR for compliance violations they believed were resolved
  • When clients threaten to leave, Delve reportedly pairs them with an external vCISO for manual off-platform work, which the author argues proves their own platform can't deliver real compliance
  • Delve's sales price dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in when a client mentioned considering a competitor
1
Reply
Analysis

Dock dedicated to in-depth discussions and evaluations of various topics.