Delve, a startup that helps companies manage privacy and security compliance, has been removed from Y Combinator’s public portfolio as an anonymous campaign accuses the firm of overstating its compliance capabilities. The dispute, which has prompted investor and customer scrutiny, centers on leaked documents, alleged data exfiltration and conflicting claims from both the accuser and Delve’s leadership.
Y Combinator no longer lists Delve in its directory, and the startup’s page appears to have been taken down from the accelerator’s website. Delve’s chief operating officer confirmed on social media that the relationship with the accelerator has ended, while at least one other investor briefly scrubbed references to its investment before restoring a post.
The allegations originated in a series of anonymous posts on a Substack attributed to “DeepDelver,” which said it was a former customer. The posts accuse Delve of representing customers as compliant with privacy and security standards while skipping critical steps, generating superficial audit reports and relying on third-party firms that simply signed off without rigorous review.
California targets luxury car tax dodgers using Montana registrations: owners face big fines
Anonymous social app enters Saudi market: can it survive strict censorship?
Subsequent material published by the anonymous author included screenshots and other internal messages they said were sourced from Delve. A separate security researcher also reported being able to access sensitive data tied to the company. The controversy broadened when malware was later found in an open source project connected to a Delve customer, drawing attention to the wider supply‑chain risks.
Delve has pushed back forcefully. In a blog post signed by the CEO and COO, the company said it hired an external cybersecurity firm to investigate and that initial findings point to a malicious intrusion rather than a good‑faith whistleblower. According to Delve, an attacker obtained internal files after gaining access under false pretenses and used the material to mount a coordinated smear campaign.
The founders dismissed parts of the Substack’s narrative as selectively chosen material and context‑stripped screenshots. They also addressed the open source question, saying their product was built on an Apache 2.0 codebase that permits commercial use and that they invested significant engineering effort to adapt it for compliance workflows.
- Claims made by the anonymous author: Misleading compliance assurances, automated or templated audit reports, uncredited use of open source work, and exposed internal data.
- Delve’s stated findings and actions: Investigation by a third‑party cybersecurity firm, evidence of data exfiltration by a malicious actor, cleanup of partner/auditor network, and offers of free re‑audits and penetration tests to current customers.
- Investor reactions: Removal from Y Combinator’s public roster and temporary deletions of investor announcements by at least one backer.
Executives at Delve also acknowledged operational missteps. The company said it expanded rapidly and that some processes did not keep pace with growth; it apologized to customers for the disruption and has described a set of remediation measures intended to restore confidence.
For customers and partners, the episode raises practical questions: Which compliance outcomes were fully validated by independent auditors, and which relied on automation or templated material? How thoroughly were third‑party auditors vetted? Delve says it will make clearer that its templates are starting points and is offering complimentary follow‑up testing to affected clients.
The situation has broader implications for startups that sell compliance tooling: claims about automated compliance and AI‑driven audits can accelerate adoption, but they also increase the reputational and regulatory stakes if those claims are challenged. Venture firms and buyers are likely to press for more evidence of independent, manual verification and tighter controls over sensitive data access.
Publishers and other outlets have contacted Y Combinator and the anonymous author for comment. Observers will be watching for the cybersecurity firm’s findings, any formal investor statements, and whether affected customers publicly accept Delve’s offers for re‑audits and penetration tests.
What to watch next: confirmation of the forensic report, any regulatory inquiries, updates from investors, and whether the incident prompts changes in how compliance platforms document and validate their work.
