The compliance startup Delve has officially parted ways with Y Combinator, the prestigious startup accelerator, marking a significant blow to a company already struggling under a wave of misconduct allegations. The separation became evident after Delve was removed from the YC portfolio directory and its dedicated company page vanished from the accelerator’s website.
Selin Kocalar, Delve’s Chief Operating Officer, confirmed the split via a post on X, reflecting on the company’s early days while acknowledging the conclude of the partnership. “I still remember the day we took our YC interview at MIT,” Kocalar said. “We’re so grateful to the community and every founder friend we’ve made.”
The decision for Delve to part ways with Y Combinator follows a period of intense scrutiny and a series of claims suggesting the startup may have fundamentally misled its clients regarding security certifications. This fallout is not isolated to YC. Insight Partners also appeared to distance itself from the company by deleting posts regarding its investment, though some primary blog content was later restored.
The ‘Fake Compliance’ Allegations
The current crisis began with a series of anonymous reports published on a Substack by an entity known as “DeepDelver.” The author, claiming to be a former customer, alleged that Delve operated a “fake compliance as a service” model. According to these reports, the startup allegedly told clients they were compliant with critical privacy and security regulations while skipping essential requirements.
DeepDelver further claimed that Delve auto-generated reports for “certification mills,” which are auditing firms that allegedly rubber-stamp compliance documents without performing rigorous checks. To support these claims, the anonymous source shared what they described as internal Slack messages and video recordings from within the company.
The controversy expanded when a security researcher reported being able to access sensitive Delve data, raising questions about the very security the company was paid to help others achieve. Delve faced criticism for allegedly utilizing an open-source tool and passing it off as proprietary software without providing proper credit to the original developer.
Adding to the instability, Delve became linked to a separate security incident involving LiteLLM, an AI project and Delve customer, which was found to have malware within its open-source project.
Delve’s Defense: A ‘Coordinated Smear Campaign’
Delve’s leadership has vehemently denied the whistleblower’s narrative, framing the situation as a targeted attack rather than a legitimate internal leak. In a detailed response on the company’s official blog, CEO Karun Kaushik and COO Selin Kocalar asserted that the company has engaged a cybersecurity firm to investigate the breach.
The executives claim that an attacker purchased Delve services under false pretenses to exfiltrate internal data, which was then used to launch a “coordinated smear campaign.” As evidence, the company provided a screenshot they claim shows the attacker using file.io to move an audit tracking spreadsheet off their systems.
Regarding the technical allegations, Delve clarified its use of open-source software, stating that it built its platform on an Apache 2.0 repository. Because the Apache 2.0 license explicitly permits commercial use, the company maintains that its actions were legal and that it significantly rebuilt the code for specific compliance use cases.
They also pushed back against the criticism of their AI tools, noting that while DeepDelver dismissed the technology, the AI successfully automated 70% of security questionnaires, which the company views as an efficiency gain rather than a failure of diligence.
Remediation and Corporate Apologies
Despite the aggressive defense against the “DeepDelver” reports, Delve has admitted to operational failures. CEO Karun Kaushik issued a public apology, acknowledging that the company’s rapid growth may have compromised its quality control.
“[W]e grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused.”
To regain customer trust, the company has outlined several corrective measures intended to stabilize its platform and ensure the validity of its compliance outcomes. These steps include:
- Auditor Vetting: Removing auditing firms from their network that do not meet revised internal standards.
- Customer Support: Providing complimentary penetration tests and re-audits to all currently active customers.
- Template Clarification: Explicitly labeling internal templates—such as those for board meeting notes—as starting points rather than final, compliant documents.
Timeline of the Delve Controversy
| Event | Detail |
|---|---|
| Initial Allegations | “DeepDelver” Substack posts claim fake compliance reports. |
| Technical Breach | Security researcher reports access to sensitive company data. |
| Customer Fallout | Malware discovered in open-source project by customer LiteLLM. |
| Investor Distance | Insight Partners and Y Combinator distance themselves from the firm. |
| Corporate Response | Delve claims a malicious attack and offers customer re-audits. |
The separation from Y Combinator serves as a stark reminder of the risks associated with “blitzscaling” in the highly regulated space of security and compliance. For a company whose primary value proposition is trust and verification, the loss of its most prominent accelerator suggests a deep fracture in its institutional credibility.
Disclaimer: This article discusses matters related to venture capital and corporate compliance. It is provided for informational purposes and does not constitute financial or legal advice.
The company’s next major milestone will be the completion of the third-party cybersecurity audit intended to prove the “malicious attack” theory. Whether these findings will be enough to lure back investors or satisfy remaining clients remains to be seen.
What do you suppose about the balance between AI automation and human auditing in security compliance? Share your thoughts in the comments or join the conversation on our social channels.
