Updated March 21, 2026: Delve has published a formal response to the allegations, and at least one major customer — Lovable — has publicly confirmed it already left Delve for a competitor. Details below.

When a compliance platform promises to get your SOC 2 done in weeks for a fraction of the cost of a traditional audit, the right question isn’t “how fast?” It’s “how real?”

A detailed investigation into Delve, a Y Combinator-backed compliance automation startup that raised $32 million and was co-founded by Forbes 30 Under 30 alumni, suggests the answer may have been: not real at all.

What Happened

The DeepDelver Substack published an investigation based on a leaked Google spreadsheet containing hundreds of Delve clients’ draft audit reports across SOC 2, ISO 27001, HIPAA, and GDPR frameworks. The full investigation makes for uncomfortable reading for anyone in GRC.

Of the 493 or 494 leaked SOC 2 reports analyzed, the findings were damning: the reports were essentially identical — same boilerplate language, same grammatical errors, same structural quirks — with only the client’s name, logo, org chart, and signature block changed. Not similar. Identical. Down to the typos.

The investigation found that auditor conclusions appeared to be pre-written before any evidence was actually reviewed — a direct violation of AICPA independence standards, which require that an auditor’s opinion be formed as a result of the evidence gathered, not established in advance and populated around a client’s information afterward.

Perhaps most striking: all 259 Type II SOC 2 reports in the leaked set claimed zero security incidents, zero personnel changes, and zero cyber incidents during their observation periods. Every single one. All with identical “unable to test” conclusions across the same control categories. In any real audit population of 259 organizations over multi-month periods, the probability of this uniformity occurring naturally is effectively zero.

The CEO of Delve publicly dismissed the investigation as “falsified claims from an AI-generated email” — a response that, as of this writing, has done little to address the specific documentary evidence.

How the Scheme Allegedly Worked

The architecture of what DeepDelver describes is worth understanding in detail, because it has implications beyond Delve specifically.

The auditor problem: Delve marketed itself as using “US-based auditors.” In practice, the investigation found that 99%+ of client audits were routed through two firms: Accorp and Gradient — described as Indian certification mills operating through U.S. shell structures. The independence and professional licensing questions raised by this arrangement are significant.

The trust page problem: Delve’s platform publishes what it calls “trust pages” — public-facing compliance portals that clients can share with prospects and partners as evidence of their security posture. According to the investigation, these pages were populated with claims about completed vulnerability scans and penetration tests before that work had actually been performed. The compliance artifact was created before the compliance activity.

The one-click fabrication problem: The platform allegedly offered clients the ability to adopt pre-fabricated board minutes, risk assessments, and security simulation records with a single click. These aren’t administrative conveniences — they are the documentary evidence that underpins a compliance assertion. Generating them automatically, without underlying organizational work, is fabrication by another name.

The integration problem: Most of Delve’s advertised integrations — the technical connections to cloud infrastructure, identity providers, and security tools that should provide the automated evidence collection underpinning modern compliance platforms — allegedly functioned as containers for manual screenshots rather than real API connections. The appearance of automated evidence collection without the substance of it.

Why This Matters for Your Compliance Program

If your organization received a SOC 2 report, ISO 27001 certificate, HIPAA attestation, or GDPR compliance documentation from a Delve client — or if your organization used Delve directly — you have exposure worth understanding.

Vendor risk: SOC 2 Type II reports are routinely used by organizations to evaluate the security posture of their vendors and service providers. If a significant portion of issued reports share the characteristics described above, your vendor risk assessments may be built on documentation that does not reflect the vendor’s actual security controls. The control environment you thought you were relying on may not exist as described.

Criminal liability: HIPAA compliance is not merely a business preference. Organizations that obtained fraudulent HIPAA attestations through a process like this, and used those attestations to demonstrate compliance to covered entities or business associates, face potential criminal liability under the HIPAA enforcement framework. The Office for Civil Rights does not distinguish between “we didn’t know our compliance was fake” and deliberate fraud when patient data is at risk.

Regulatory fines: GDPR compliance documentation that was fabricated rather than earned exposes organizations to fines of up to 4% of global annual revenue under Article 83 enforcement. More importantly, it means the underlying data protection controls that GDPR compliance is supposed to evidence may not actually be in place — a substantive risk to individuals whose data you process, and a substantive liability for your organization.

The “I didn’t know” defense: If a regulatory investigation or a data breach occurs, and it emerges that your organization’s compliance documentation was produced through a process later found to be fraudulent, the “we relied on our compliance vendor” argument has limited legal currency. The compliance obligation belonged to your organization, not to Delve.

Real Compliance vs. What This Describes

A genuine SOC 2 Type II audit involves a licensed CPA firm — independent of the organization being audited — conducting an examination over a defined observation period, typically six to twelve months. The auditor collects and tests evidence of control operation throughout that period: system logs, access reviews, change management records, incident logs, vendor documentation.

The auditor’s conclusions must be formed as a result of that evidence. An auditor who writes the conclusions first and fills in the evidence afterward has not conducted an audit. They have produced a document.

Zero security incidents across 259 organizations over multi-month periods is not a compliance outcome. It is a template value that was never updated.

The Market Pressure Context: This Is Bigger Than Delve

The compliance automation market has been in an accelerating race to the bottom on price and speed. Vanta now sells SOC 2 Express Packages at around $5,000. The message to the market is that enterprise-grade compliance can be turned on like a utility — and that creates demand for providers willing to deliver exactly that price signal.

When clients threatened to leave Delve, the response was reportedly to pair them with an external vCISO for manual work — an implicit acknowledgment that the platform wasn’t delivering real compliance. Pricing reportedly dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in. Those economics do not support a legitimate audit process.

The compliance certification industry has a structural problem: the buyers of compliance reports are not always the parties bearing the risk if those reports are wrong. When a startup buys a SOC 2 to satisfy a procurement questionnaire, the enterprise asking for that report is the one relying on its accuracy. That misalignment creates incentive for exactly what is alleged here.

What to Do Now

If you’re a Delve client: Engage a qualified attorney before taking any public action. Commission an independent gap assessment to understand the actual state of your controls. If you operate in HIPAA-regulated environments, brief your privacy counsel immediately.

If you received a Delve-processed report from a vendor: Add enhanced questionnaires and direct evidence requests to your vendor review process. A SOC 2 report from this period may require independent verification.

If you’re evaluating compliance automation platforms: Require disclosure of the actual auditing firm, verify their CPA licensure independently, and speak directly with the auditor — not just the platform — about their methodology. If the auditor is a name you can’t independently verify, that’s a due diligence finding.

Compliance documentation exists to convey real information about real control environments. When it conveys nothing except the willingness to pay for a PDF, it fails everyone downstream who relied on it to make a risk decision.

That’s the Delve story, and it’s one the compliance profession needs to sit with.

Update: Delve Responds — And a Major Customer Goes Public

Updated March 21, 2026

Delve’s Formal Response

On March 20, 2026 — the same day this article was published — Delve posted a public statement titled “Response to Misleading Claims” on their website, disputing the Substack investigation point by point. Their five core arguments:

1. “Delve does not conduct audits or issue fake SOC 2 reports.” Delve says it is an automation platform, not an auditing firm. They claim to ingest data, manage technical integrations, and assist customers in implementing compliance requirements — then grant independent, licensed auditors access to an audit dashboard to review evidence. Final reports, Delve states, are issued solely by the independent auditors, not Delve.

What this doesn’t address: The original investigation’s core claim wasn’t that Delve signed reports — it was that the content of those reports, across hundreds of clients and multiple auditors, was statistically identical in ways that suggest the conclusions were pre-populated rather than evidence-derived. Identifying who put their name on the PDF doesn’t resolve the uniformity question.

2. “Customers work with independent, accredited auditors.” Delve denies relying on “Indian certification mills” and says customers can choose any accredited third-party audit firm from a network of established firms used broadly across the industry.

What this doesn’t address: The investigation named specific firms — Accorp and Gradient — and alleged that 99%+ of reports were routed through them. Delve’s response doesn’t address those specific firms or the routing concentration the investigation described.

3. “Standardization is inherent in compliance frameworks.” Delve argues that modern compliance platforms by design produce reports with structural overlap, because they’re built on the same AICPA, ISO, and NIST standards. Template similarity is expected across the industry.

What this doesn’t address: The investigation identified identical grammatical errors, identical typos, and identical placeholder values — including zero security incidents across all 259 Type II reports — that go beyond framework-level structural similarity. The argument that templates produce similar structure doesn’t explain identical error patterns.

4. “Delve does not produce fake evidence.” Delve says their board minutes, risk assessments, and security documentation are starting points that customers are responsible for reviewing, modifying, and finalizing. Draft templates are not evidence fabrication.

What this doesn’t address: The original allegation was that the platform offered one-click adoption of pre-fabricated compliance artifacts — not that templates exist, but that the workflow made it trivially easy to adopt them without underlying organizational work. The response reframes “draft templates” without addressing how they were deployed in practice.

5. “Delve is not a manual platform — it supports 120+ integrations.” Delve disputes the claim that it has only 14 integrations and says its platform has grown significantly.

Note: This is the most straightforwardly verifiable of the five claims and the least consequential to the central allegations.

Delve concluded by stating they are “actively investigating any leaks” and promised further responses to additional allegations. The statement did not include any independent verification, data, or auditor attestation to support their positions.

Lovable Publicly Confirms It Left Delve

The same day Delve published its rebuttal, Lovable — a prominent AI-powered web development platform — posted a public statement on X (Twitter) clarifying its relationship with Delve:

“We’re aware of recent reporting about Delve’s compliance practices. Lovable is not a Delve customer. We proactively moved to Vanta in late 2025, before any of this came to light.”

Lovable confirmed their SOC 2 Type II was independently audited by Prescient Assurance, that they are currently undergoing an independent internal audit of their ISMS, recertifying ISO 27001, and have their next SOC 2 Type II scheduled for Q3 2026.

The significance of this disclosure: Lovable didn’t leave because of the scandal. They left before it — suggesting that their experience as a customer led them to seek an alternative independently. That’s a different signal than a reactive customer departure, and it’s the kind of signal that due diligence teams notice.

What to Make of the Response

Delve’s rebuttal follows a recognizable pattern for companies responding to operational investigations: dispute framing, emphasize process language, and avoid engaging with the specific documented evidence. The five-point response addresses the categories of allegation without engaging with the specific artifacts — the spreadsheet of 493 reports, the identical typos, the zero-incident uniformity — that the Substack investigation rested on.

For GRC professionals evaluating what to do with Delve-issued documentation in their vendor risk programs, the response doesn’t change the underlying question: if you received a SOC 2 report from a Delve client, does that report accurately reflect the client’s actual control environment? Delve’s statement that their auditors are independent doesn’t answer that question if the auditor’s conclusions were shaped by the platform’s evidence-collection process before the evidence was gathered.

The compliance profession will be watching to see whether Delve produces third-party verification of their integration claims, whether the specific auditing firms named in the investigation respond publicly, and whether any regulatory body — AICPA, a state CPA board, or an agency with HIPAA or GDPR jurisdiction — opens a formal inquiry.

Until then, the posture for vendor risk programs remains unchanged: treat Delve-issued compliance documentation from this period as requiring independent verification before it can be relied upon in a risk decision.