Delve - Fake Compliance as a Service - Part I

How Delve managed to falsely convince hundreds of customers they were compliant and then lied about it when exposed and called out

At its core, this article argues that Delve fakes compliance while creating the appearance of compliance without the underlying substance.

Delve achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance. Their “US-based auditors” are Indian certification mills operating through empty US shells and mailbox agents. Auditors breach independence rules by signing off anyway, leaving companies unknowingly exposed to criminal liability under HIPAA and hefty fines under GDPR.

Delve hands customers fabricated evidence of board meetings, tests, and processes that never happened. The platform forces companies to choose between adopting fake evidence or performing mostly manual work with little real automation or AI. It produces audit reports that falsely claim independent verification while Delve itself effectively wears the auditor hat, generating identical reports for all clients. It hosts trust pages that list security measures that were never implemented.

Preface - How it all started

Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible. This email also claimed that Delve’s audit reports were fraudulent.

Instead of providing clarification and being transparent, Delve’s leadership decided to go into deny and deflect mode. When directly asking them for clarification, they flat-out denied everything. This raised serious questions about the validity of the compliance reports Delve’s clients had received.

Key Findings of the Investigation

Audit Integrity & Independence

Delve breaches AICPA/ISO rules by acting as auditor and generating pre-drafted assessments. They rely on audit firms that rubber stamp reports because genuine independent verification would expose the evidence as fabricated.

Misrepresentation to Customers

Delve misleads clients by claiming reports are produced by US-based CPA firms, when in reality they are produced by Delve and rubber stamped by Indian certification mills. They market AI-driven automation while the product is practically devoid of AI, relying on templates and manual forms.

Regulatory & Compliance Risk

Delve’s process results in clients violating GDPR and HIPAA requirements, exposing them to criminal liability and fines up to 4% of global revenue. Companies relying on Delve face significant regulatory, contractual, and reputational risk.

Advice for Prospects and Clients

Delve often claims these allegations are attempts by “jealous competitors” to discredit them. When clients ask concrete questions, they dodge answering and instead coax you into getting on a call.

If you are concerned about Delve’s conduct and practices, ask them questions in writing. Do not allow them to deflect. Do not get on a call with them. Relying on fraudulent compliance is a risk no business should take.