$300M YC Startup Accused of Being Completely Fake

Allegations of Fraudulent SOC 2 Compliance at Delve [0:00]

• Delve, a YC-backed company that raised $32 million and had founders featured on Forbes 30 Under 30, is under scrutiny for allegedly faking its SOC 2 compliance services.
• The company's pitch centered on providing SOC 2 compliance in days, significantly faster than the typical months-long process, using AI agents.
• An anonymous Substack article, "Deep Delver," claims to be from an employee of a Delve client, detailing how Delve allegedly enabled the creation of fake board meeting notes, risk assessments, and copy-pasted employee evidence.
• The author states that everything discussed is from the report and that nothing has been proven in court, making the claims alleged.
• In December, a spreadsheet with approximately 600 Delve customers leaked, revealing links to their compliance reports, many of which appeared identical with only company names changed.
• Emails were sent to Delve customers warning them about the potential insecurity of their compliance.
• If the allegations are true, not only Delve but also every startup that received SOC 2 compliance from them could be liable.

"Everything I'm going to talk about and have talked about is from this report. While they provide evidence, nothing has actually been proven in a court of law and therefore everything I'm talking about is completely alleged and these are sort of just what the accusations are."

The Mechanics of Alleged Delve Fraud [0:33]

• Delve allegedly enabled clients to create fake evidence, generated auditor conclusions on behalf of "certification mills," and skipped crucial framework requirements, while claiming 100% compliance.
• The auditors involved were reportedly Indian "certification mills" operating through US shell companies and mailbox agents.
• A loophole exploited was Montana's allowance for international individuals to obtain US-based CPA licenses, facilitating the rubber-stamping of reports.
• The Substack article suggests auditors and Delve itself may not have thoroughly reviewed compliance, with Delve allegedly generating auditor conclusions for clients and submitting them to fake auditors.
• These fake auditors, operating through US shell corporations, would then rubber-stamp the SOC 2 compliance.
• This process is seen as a serious betrayal of trust for enterprise companies entrusting sensitive data to these startups.

"Their US-based auditors are Indian certification mills operating through empty US shell companies and mailbox agents."

Delve's Response and the Leaked Data [0:53]

• Delve's CEO, Karun, sent an email to customers with the subject "Email with falsified claims sent to Delve customers," calling it an AI-generated email with false claims and an alert about a publicly accessible internal audit automation document.
• He assured customers of compliance and no impact on their audit reports, attributing the leak to "human error" and a mistake in making the document publicly available.
• The leaked document contained high-level customer information and links to draft audit reports.
• Delve claimed no external party accessed their platform, integrations, or databases.
• However, the Substack report highlighted that the spreadsheet itself was a database containing private data, signatures, and architectural diagrams of their customers.
• Delve also published a vague blog post that, instead of directly addressing the rumors, focused heavily on sales tactics and case studies, a significant portion of which was promotional.

"In the spirit of transparency, we want to proactively address the situation."

The Implausibility of "Compliance in Days" [08:16]

• Promising SOC 2 compliance in a couple of days is considered outlandish by industry experts.
• Mike Kim, founder of Microoft, stated that even reviewing a SOC report takes a day or two, and a hyper-efficient process with a focused company might take 2-3 weeks, with the expectation of 2-3 months for thorough preparation.
• Delve's platform allowed users to activate and publish a trust page with a fully populated list of security measures even before doing any real work or addressing security issues.
• These listed measures were often not implemented or supported by Delve's process and platform.
• The platform's compliance process is broken down into policies, team, tech, and company, with pre-created policies that require significant manual revision to be accurate.
• Delve's policies claim measures that the platform itself doesn't address.
• Instead of finding and fixing security issues, Delve allegedly provides a checklist that their own platform doesn't verify against.
• Clients could simply click "accept" on pre-created fake board meeting minutes and adopt default risks, bypassing genuine risk assessment.

"Companies that help you get compliant so you can pass these audits are supposed to actually go into your system and find the things that are wrong with you, not give you a checklist that their own platform themselves doesn't even check whether you're compliant or not with."

The "Fake Evidence" and Employee Onboarding Issues [10:48]

• Delve allegedly assured clients they would never fail an audit and that auditors had never flagged issues, even claiming Fortune 500 companies used their process.
• Employees who didn't onboarded before the observation period were marked as passing with identical fake boilerplate evidence.
• Background checks were not performed for many employees, yet Delve marked all checks as passing.
• Clients were told they passed their SOC 2 audit with high-quality reports, despite knowing they hadn't done real work and adopted fake evidence.
• When enterprise companies asked for detailed questionnaires, Delve's AI answered about 70% of questions, often fabricating details like a 200-hour pen test or regular backup restoration simulations.
• Many clients realized they had messed up when unable to honestly answer these detailed questions without jeopardizing deals.
• Customer support for Delve allegedly provided nonsense solutions or ghosted clients when issues were raised.

"And on top of that, they kept on reminding them that they sold to Fortune 500 companies using the exact same process. Companies like Lovable and Bland."

Industry Reactions and Founder Mindset [13:32]

• The narrative highlights a new wave of startup founders, often young, who rely on storytelling and hype rather than technical prowess or business acumen.
• Delve's founder allegedly emphasized the uniqueness of their situation and continued to claim companies like Lovable and Bland passed security reviews with Delve reports.
• Other YC companies, like Just PSA, have come out in support of Delve, stating they use Delve for automation but are responsible for their own security.
• Critics argue that Delve's platform enables shady behavior, and even if clients are ultimately responsible, the platform facilitates fraud.
• Competitors like Drada and Vanta, also YC companies in the SOC 2 space, do not allegedly farm out prefilled findings from shell companies.
• The video suggests that for startups needing to sell to enterprises quickly, paying $10,000-$20,000 for rapid SOC 2 compliance via Delve was appealing, despite potential red flags.
• The speaker concludes by stating they would hire a real compliance firm for their own startup, rather than using a company that drives the process, and then find their own auditor.

"And at the end of the day, like we told you you guys should be compliant and you're the one that clicked the little check box on our platform that said that you do all these different security measures and we just submit the audit to the same place everyone else is doing it. So, we're not really liable for this."