Delve Faces Whistleblower Allegations of Data Misuse at Y Combinator Startup

Insight Partners scrubbed a published article defending its $32 million bet on Delve after an anonymous whistleblower accused the Y Combinator-backed compliance startup of fabricating audit evidence for hundreds of customers. By March 23, Delve had also disabled the "book a demo" feature on its website, marking an accelerating fallout from allegations that struck at the startup's core business.

The removed Insight Partners article, written by managing directors Teddie Wardi and Praveen Akkiraju among others, was titled "Scaling AI-native compliance: How Delve is saving companies time and money on compliance busywork." The whistleblower, posting under the handle "DeepDelver" and claiming to be a former client, alleged that Delve, valued at $300 million during its Series A, fabricated compliance data for its customers.

Founded in 2023, Delve says it leverages AI to automate the process of obtaining security and regulatory certifications, including SOC 2, HIPAA, and GDPR. As recently as January 2026, co-founder Selin Kocalar told Inc. that Delve had over 1,000 customers in over 50 countries and had helped those clients land "nine-figure deals and federal contracts." The company's own blog now puts that customer count at more than 1,700.

The trouble began in December 2025. A spreadsheet of confidential client reports was leaked, and CEO Karun Kaushik emailed clients assuring them no external party had gained access. Dissatisfied customers pooled resources to investigate, uncovering what they described as skipped framework requirements and pre-filled templates.

What that investigation allegedly found was damning. DeepDelver accused the startup of providing customers with "fabricated evidence of board meetings, tests, and processes that never happened," then forcing those customers to "choose between adopting fake evidence or performing mostly manual work with little real automation or AI." The post further alleged that virtually all Delve clients appear to have worked with two primary audit firms, Accorp and Gradient, which the whistleblower described as "part of the same operation" based primarily in India with minimal U.S. presence.

DeepDelver told reporters that they and their collaborators "chose to remain anonymous out of fear for retaliation by Delve."

The allegations potentially expose Delve's customers to "criminal liability under HIPAA and hefty fines under GDPR." On its website, Delve claims to have helped customers such as Microsoft, Chase, PayPal, American Express, and the AI search company Perplexity cut "hundreds of hours" of compliance busywork, though it remains unclear how many of these companies are still active users of the platform.

Delve pushed back firmly. The company said it does not issue compliance reports, describing itself as an "automation platform" that ingests information and assists customers in implementing compliance requirements, before granting auditors access to an audit dashboard; final reports, it said, are issued solely by independent, licensed auditors. On the pre-filled templates accusation, Delve said it provides templates to help teams document their processes, as other compliance platforms do, with customers responsible for reviewing and finalizing their own materials: "Draft templates are not the same as 'pre-filled evidence.'"

DeepDelver was not persuaded. They told reporters they were "baffled by the laziness, clumsiness and brazenness" of Delve's response. They added that there are "a number of very serious allegations" Delve did not address at all, specifically naming "the India accusation, the lack of AI" and "the trust page containing controls that were never implemented." The whistleblower also promised that "Part II will follow soon."

Separately, an X user named James Zhou claimed to have accessed sensitive Delve information including employee background checks and equity schedules. Cybersecurity expert Jamieson O'Reilly of Dvuln subsequently shared details from a conversation with Zhou about "several gaping security holes in Delve's external attack surface."

Co-founders Karun Kaushik and Selin Kocalar, as well as Insight Partners, did not immediately respond to requests for comment. With its demo pipeline closed, its lead investor's public endorsement erased, and a second installment of whistleblower allegations promised, Delve faces a reckoning that threatens to redefine what AI-native compliance automation actually means.