Synopsis
Delve’s removal from Y Combinator’s directory follows allegations that compliance certifications for hundreds of Delve’s clients were fabricated. The company has pushed back, saying leaked data was taken out of context as part of a malicious campaign.The development follows allegations that compliance certifications for hundreds of Delve’s clients were fabricated.
In addition, an alleged screenshot of a message from Y Combinator CEO Garry Tan on Bookface (a platform used by YC founders to connect) is also circulating, suggesting the firm was asked to leave, even as Kocalar’s post struck a more positive tone about the split.
Meanwhile, the company’s leadership has responded to the allegations.
CEO Karun Kaushik and Kocalar shared their side on the social media platform X, with Kaushik saying they want to “set the record straight” on the anonymous attacks. He said that the evidence points to a “targeted cyberattack” rather than a whistleblower.
Kaushik wrote, “We believe the attacker purchased Delve under false pretences, exfiltrated internal company data, and used it to launch a coordinated smear campaign. The posts rely on a mix of fabricated claims, cherry-picked screenshots, and stolen data taken out of context.”
However, he also added, “We take these allegations seriously and have made changes: a new auditor network, free re-audits and pentests for all customers, enhanced transparency in audit communications, and more.”
Founded in 2023 by Kaushik and Kocalar, Delve is headquartered in San Francisco and was part of the Y Combinator Winter 2024 batch. The startup uses AI to automate back-office tasks such as security compliance and helps businesses obtain certifications like SOC 2, ISO 27001, HIPAA, and GDPR.
Such certifications are crucial for startups seeking enterprise clients, signalling that the company meets widely recognised security and privacy standards.
What were the allegations?
An investigation published on Substack by DeepDelver on March 19 claimed a leaked spreadsheet revealed hundreds of draft compliance reports that may not have been properly audited.
The report suggested many SOC 2 reports followed the same template, sharing identical wording and errors, with only minor company-specific details changed. It also alleged that audit conclusions were written in advance, consistently showing zero security incidents or operational issues, a result experts say is improbable in practice.
Additionally, concerns were raised over Delve’s auditors, advertised as “US-based,” but allegedly outsourced to firms in India operating through US shell companies, raising questions about independence. The investigation also claimed that the platform generated ready-made compliance documents, including risk assessments and security reports, which clients could use with minimal modification.
While Delve promoted integrations with cloud platforms and code repositories, many uploads were reportedly manual, such as screenshots, rather than automated API connections, limiting real-time compliance monitoring.
DeepDelver also claimed that Delve allegedly used an open-source tool and presented it as its own work without giving credit to or paying the original developer.
Cyberattack evidence
In a blog post, Delve stated that it believes the leaks were part of a “coordinated, targeted cyberattack.” A screenshot was shared showing the attacker exfiltrating the audit tracking spreadsheet via file.io, which was later anonymously emailed to clients and surfaced on Substack.
“This is one of numerous instances of the attacker targeting our proprietary information. While we believe we were the primary target, we have notified customers we know were affected at this time,” the company added.
Delve argued that the Substack relied on cherry-picked data and misleading claims.
Giving examples, it said the posts dismissed Delve’s AI while noting it automated 70% of a security questionnaire, highlighted one manual integration while ignoring over 600 automated tests, and misrepresented its use of standard policy templates.
Delve also said that the Substack falsely suggested the startup “stole” from another YC company.
“...in reality we built on an Apache 2.0 open-source repository, which explicitly permits commercial use, and significantly rebuilt it for compliance use cases,” it said.
“This framing is plainly designed to undermine confidence in Delve across customers, investors, team members, and auditors rather than reflect how the platform actually works,” the company added.
Why this matters
Compliance certifications such as SOC 2 and ISO 27001 are intended to ensure companies follow robust security and data protection practices. Weaknesses in these processes can have serious consequences.
If certifications are compromised, businesses relying on them may face legal and financial risks, including Health Insurance Portability and Accountability Act (HIPAA) liability and fines under the General Data Protection Regulation (GDPR) of up to 4% of global revenue for breaches they assumed had been resolved.
