Compliance startup Delve is facing serious accusations of misleading its customers by allegedly faking compliance with critical data privacy and security regulations. An anonymous source published claims on Substack suggesting hundreds of clients were falsely assured they met standards like HIPAA and GDPR. This situation could leave these businesses facing significant legal penalties and hefty fines.

The anonymous report, posted by “DeepDelver,” outlines a serious distrust that grew among former Delve clients. The author, who claims to have worked at a now-former client company, detailed suspicions arising after an email in December suggested a data leak. Despite assurances from Delve CEO Karun Kaushik that client data was secure and compliance was maintained, the clients grew uneasy.

According to “DeepDelver,” a group of former clients pooled their observations and discovered Delve allegedly achieved its speed claims by manufacturing compliance documentation. The accusations suggest the company generated fake audit conclusions and skipped essential regulatory requirements. This practice would mean clients were led to believe they were fully compliant when, in reality, they were not.

The Substack post delves into specific allegations, stating Delve provided clients with fabricated evidence of board meetings, security tests, and internal processes that never actually occurred. Clients were reportedly forced to choose between accepting this manufactured proof or undertaking extensive manual work with minimal automated support from Delve’s platform.

Delve has publicly responded to the allegations, publishing a blog post on Friday refuting the claims and labeling the Substack post as misleading. The company stated the anonymous report contains several inaccuracies. However, the detailed nature of the accusations raises significant questions about Delve’s operational practices and the true compliance status of its customer base.