Delve, ‘Fake Compliance’ and the Startup Habit of Treating Trust as an API

April 1, 2026
5 min read
Abstract illustration of a startup dashboard showing security compliance badges with warning icons

Delve, ‘Fake Compliance’ and the Startup Habit of Treating Trust as an API

If the allegations against Delve are even partially true, we’re not just looking at one rogue startup – we’re staring at a culture problem in how tech treats security and compliance. Certifications have become a growth hack, not a protection mechanism. Automated compliance tools promise startups a shortcut through painful audits, but when the shortcut becomes the product, the temptation to cut corners skyrockets. In this piece, we’ll unpack what the Delve whistleblower story really signals for security startups, auditors, regulators and any company that has ever proudly tweeted “We’re SOC 2 compliant”.

The news in brief

According to TechCrunch, compliance automation startup Delve is facing new accusations from an anonymous whistleblower using the handle DeepDelver. A day after Delve’s founder and CEO Karun Kaushik published a long denial on X, rejecting claims that the company fabricated evidence for customers’ compliance audits, the whistleblower returned with what they say are “receipts”: a video and screenshots of internal Slack messages.

Delve, a Y Combinator 2023 alumnus founded by 21‑year‑old MIT dropouts, builds software that automates the work required to obtain security certifications and demonstrate compliance with regulations such as GDPR. The company raised a $32 million Series A round last summer, led by Insight Partners, following a $3 million seed round just months earlier.

TechCrunch notes that one prominent Delve customer, LiteLLM, recently suffered a high‑profile incident when its open source project was compromised with malware, despite having obtained two security certifications with Delve’s help. The whistleblower has indicated that more disclosures may follow.

Why this matters

The Delve story hits a nerve because it touches the most fragile asset in the digital economy: borrowed trust. Most startups don’t have the time or expertise to design mature security programmes, so they lean on a web of auditors, frameworks and tooling vendors. If one of those vendors is accused of faking evidence, every link in that trust chain comes into question.

There are three immediate groups at stake:

  • Customers who relied on Delve to “become compliant” may find their certifications – and the deals tied to them – under scrutiny. If even a fraction of the work was fabricated, counterparties and regulators will ask what exactly those certificates are worth.
  • Investors and auditors are forced to confront whether their due diligence on compliance‑as‑a‑service startups has been mostly paper‑based and superficial. A $32 million Series A only months after seed suggests intense growth pressure.
  • The broader market for security certifications takes a reputational hit. Many practitioners already argue that SOC 2, ISO 27001 and similar frameworks often amount to “security theater”. A scandal around automated compliance tools will only reinforce that perception.

Paradoxically, the immediate loser might be the very category Delve operates in. Automation vendors that are actually rigorous will now need to over‑prove their integrity. The winners, at least in the short term, may be more conservative players: established audit firms and in‑house security teams who have long warned against over‑reliance on checkbox tools.

The deeper risk is cultural. When compliance becomes a sales enabler rather than an internal discipline, founders are incentivised to treat “pass the audit” as the KPI – not “actually reduce risk”. That is how good intentions slide into cutting corners.

The bigger picture

The Delve allegations don’t appear in a vacuum; they sit on top of several converging trends.

First, there has been an explosive boom in compliance automation over the last five years. In the US alone, companies like Vanta, Drata and Secureframe built large businesses on simplifying SOC 2 and ISO audits for SaaS startups. Europe has its own wave of privacy and compliance platforms. The pitch is always similar: answer questionnaires once, connect your cloud accounts, auto‑generate evidence, and let the tool talk to the auditor.

Second, the industry has been quietly outsourcing judgment to templates. Security questionnaires have turned into copy‑paste exercises. Policies are generated by AI. Controls are mapped automatically to frameworks. That’s all extremely useful – until someone starts optimising for speed and optics over reality.

Historically, we’ve seen versions of this before. In financial services, the Wirecard scandal showed what happens when auditors, investors and partners are dazzled by growth and stop asking hard questions. In cybersecurity, major breaches at otherwise “certified” organisations have repeatedly exposed the gap between having a badge and actually being resilient.

Third, the AI boom amplifies both the complexity and the hype. AI infrastructure startups are rushing to sell into enterprises that demand strong assurances around data protection, model security and regulatory compliance. That creates fertile ground for tools that promise “SOC 2 in weeks, not months”. The LiteLLM incident mentioned by TechCrunch – a malware compromise in a project that proudly held two certifications – is exactly the kind of cognitive dissonance that erodes faith in the system.

Compared with traditional auditors, startups like Delve operate at “Silicon Valley speed”. That speed is attractive – until it collides with the slow, methodical nature of true risk management. The allegations here are a reminder that some parts of the stack, like cryptography or aircraft safety, simply don’t tolerate “move fast and break things”.

The European / regional angle

For European companies, the Delve episode is not just Silicon Valley drama; it’s a live test of how outsourced compliance fits with strict EU regulation.

Under GDPR, the upcoming EU AI Act, NIS2 and sectoral rules such as DORA for finance, organisations remain fully responsible for their security and privacy posture, even if they use third‑party tools. If a vendor falsifies evidence and that leads to weak controls or a breach, regulators won’t accept “our startup said we were compliant” as a defence.

European firms, especially SMEs, increasingly buy US‑based compliance services to access global markets and satisfy enterprise procurement. That includes fast‑growing ecosystems in Berlin, Paris, Barcelona, Ljubljana or Zagreb, where exporting SaaS to the US often requires SOC 2 and ISO certificates.

But EU regulators and many corporate CISOs already view tick‑box compliance with suspicion. They care about data residency, lawful transfer mechanisms post‑Schrems II, and demonstrable risk assessments – not just badges on a landing page.

If the Delve allegations escalate, expect:

  • More scrutiny of automated compliance vendors in EU procurement and due diligence processes.
  • Questions from regulators about how evidence is generated and verified, particularly when used to demonstrate GDPR accountability.
  • Fresh opportunities for European privacy‑ and security‑by‑design companies that can credibly differentiate themselves from “compliance theater”.

In markets like Germany or the Nordics, where privacy culture is strong, this could accelerate a shift back towards deeper, risk‑based audits instead of lightweight questionnaire‑driven ones.

Looking ahead

What happens next will depend largely on two things: the quality of the whistleblower’s evidence and the reactions of customers and investors.

If future disclosures present clear, contextualised proof that Delve employees knowingly fabricated evidence, we can expect:

  • Internal investigations and possibly regulatory interest in key jurisdictions where Delve’s customers operate.
  • Contract disputes or renegotiations as buyers reassess the value of the certifications they obtained via the platform.
  • Tough questions for Delve’s board and investors about governance, incentives and oversight.

If, on the other hand, the material turns out to show sloppiness or poor process rather than outright fraud, the outcome may be more muted: a cautionary tale and a wave of “trust, but verify” messaging across the sector.

For readers – especially founders and security leaders – the key signals to watch are:

  • Customer behaviour: Do high‑profile users pause renewals or publicly distance themselves?
  • Audit firm responses: Do auditors tighten their methodology around automated evidence collection?
  • Regulatory commentary: Any hint from EU DPAs or US regulators that automated compliance tools are on their radar.

The broader opportunity here is cultural. This is a moment for the industry to pivot from “compliance as a badge” to compliance as an internal habit, supported by tools but not delegated to them. Startups that can show real‑time, substantive security practices – and invite scrutiny rather than shy away from it – will emerge stronger.

The bottom line

The Delve whistleblower saga is less about one YC startup and more about a fragile ecosystem built on certificates that many practitioners already distrust. Whether or not the harshest claims are proven, this should be a wake‑up call for anyone treating compliance as a product feature instead of a governance responsibility. If trust is now sold as an API, who is checking the implementation? And as a buyer, are you prepared to look beyond the logo and ask how your “compliance” was actually produced?

Comments

Leave a Comment

No comments yet. Be the first to comment!

Related Articles

Close-up of a person wearing a Whoop fitness band next to a smartphone showing health metrics.
News

Whoop hits $10B: fitness band, or the next healthcare data giant?

Whoop’s $10.1B valuation is a bet that continuous biometric data will shape the future of healthcare. Here’s what that means for rivals and for Europe.

5 min read
Collage of a gym floor, fitness class and mobile app for booking workouts
News

Playlist + EGYM: The Quiet Build‑Out of a Global Fitness Operating System

Playlist’s $7.5B merger with EGYM could create a de facto global operating system for gyms, studios and corporate wellness. Here is why that matters.

5 min read
Early-stage founders pitching on stage at a global startup competition
News

Why Startup Battlefield 2026 Still Matters — Especially If You Think You’re “Too Early”

TechCrunch’s Startup Battlefield 2026 reveals how early-stage venture is shifting. Here’s why it matters, especially for European founders, and how to decide if it’s worth your time.

5 min read

Stay Updated

Get the latest AI and tech news delivered to your inbox.