When a compliance platform promises to get your SOC 2 done in weeks for a fraction of the cost of a traditional audit, the right question isn’t “how fast?” It’s “how real?”

A detailed investigation into Delve, a Y Combinator-backed compliance automation startup that raised $32 million and was co-founded by Forbes 30 Under 30 alumni, suggests the answer may have been: not real at all.

What Happened

The DeepDelver Substack published an investigation based on a leaked Google spreadsheet containing hundreds of Delve clients’ draft audit reports across SOC 2, ISO 27001, HIPAA, and GDPR frameworks. The full investigation makes for uncomfortable reading for anyone in GRC.

Of the 493 or 494 leaked SOC 2 reports analyzed, the findings were damning: the reports were essentially identical — same boilerplate language, same grammatical errors, same structural quirks — with only the client’s name, logo, org chart, and signature block changed. Not similar. Identical. Down to the typos.

The investigation found that auditor conclusions appeared to be pre-written before any evidence was actually reviewed — a direct violation of AICPA independence standards, which require that an auditor’s opinion be formed as a result of the evidence gathered, not established in advance and populated around a client’s information afterward.

Perhaps most striking: all 259 Type II SOC 2 reports in the leaked set claimed zero security incidents, zero personnel changes, and zero cyber incidents during their observation periods. Every single one. All with identical “unable to test” conclusions across the same control categories. In any real audit population of 259 organizations over multi-month periods, the probability of this uniformity occurring naturally is effectively zero.

The CEO of Delve publicly dismissed the investigation as “falsified claims from an AI-generated email” — a response that, as of this writing, has done little to address the specific documentary evidence.

How the Scheme Allegedly Worked

The architecture of what DeepDelver describes is worth understanding in detail, because it has implications beyond Delve specifically.

The auditor problem: Delve marketed itself as using “US-based auditors.” In practice, the investigation found that 99%+ of client audits were routed through two firms: Accorp and Gradient — described as Indian certification mills operating through U.S. shell structures. The independence and professional licensing questions raised by this arrangement are significant.

The trust page problem: Delve’s platform publishes what it calls “trust pages” — public-facing compliance portals that clients can share with prospects and partners as evidence of their security posture. According to the investigation, these pages were populated with claims about completed vulnerability scans and penetration tests before that work had actually been performed. The compliance artifact was created before the compliance activity.

The one-click fabrication problem: The platform allegedly offered clients the ability to adopt pre-fabricated board minutes, risk assessments, and security simulation records with a single click. These aren’t administrative conveniences — they are the documentary evidence that underpins a compliance assertion. Generating them automatically, without underlying organizational work, is fabrication by another name.

The integration problem: Most of Delve’s advertised integrations — the technical connections to cloud infrastructure, identity providers, and security tools that should provide the automated evidence collection underpinning modern compliance platforms — allegedly functioned as containers for manual screenshots rather than real API connections. The appearance of automated evidence collection without the substance of it.

Why This Matters for Your Compliance Program

If your organization received a SOC 2 report, ISO 27001 certificate, HIPAA attestation, or GDPR compliance documentation from a Delve client — or if your organization used Delve directly — you have exposure worth understanding.

Vendor risk: SOC 2 Type II reports are routinely used by organizations to evaluate the security posture of their vendors and service providers. If a significant portion of issued reports share the characteristics described above, your vendor risk assessments may be built on documentation that does not reflect the vendor’s actual security controls. The control environment you thought you were relying on may not exist as described.

Criminal liability: HIPAA compliance is not merely a business preference. Organizations that obtained fraudulent HIPAA attestations through a process like this, and used those attestations to demonstrate compliance to covered entities or business associates, face potential criminal liability under the HIPAA enforcement framework. The Office for Civil Rights does not distinguish between “we didn’t know our compliance was fake” and deliberate fraud when patient data is at risk.

Regulatory fines: GDPR compliance documentation that was fabricated rather than earned exposes organizations to fines of up to 4% of global annual revenue under Article 83 enforcement. More importantly, it means the underlying data protection controls that GDPR compliance is supposed to evidence may not actually be in place — a substantive risk to individuals whose data you process, and a substantive liability for your organization.

The “I didn’t know” defense: If a regulatory investigation or a data breach occurs, and it emerges that your organization’s compliance documentation was produced through a process later found to be fraudulent, the “we relied on our compliance vendor” argument has limited legal currency. The compliance obligation belonged to your organization, not to Delve.

Real Compliance vs. What This Describes

A genuine SOC 2 Type II audit involves a licensed CPA firm — independent of the organization being audited — conducting an examination over a defined observation period, typically six to twelve months. The auditor collects and tests evidence of control operation throughout that period: system logs, access reviews, change management records, incident logs, vendor documentation.

The auditor’s conclusions must be formed as a result of that evidence. An auditor who writes the conclusions first and fills in the evidence afterward has not conducted an audit. They have produced a document.

Zero security incidents across 259 organizations over multi-month periods is not a compliance outcome. It is a template value that was never updated.

The Market Pressure Context: This Is Bigger Than Delve

The compliance automation market has been in an accelerating race to the bottom on price and speed. Vanta now sells SOC 2 Express Packages at around $5,000. The message to the market is that enterprise-grade compliance can be turned on like a utility — and that creates demand for providers willing to deliver exactly that price signal.

When clients threatened to leave Delve, the response was reportedly to pair them with an external vCISO for manual work — an implicit acknowledgment that the platform wasn’t delivering real compliance. Pricing reportedly dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in. Those economics do not support a legitimate audit process.

The compliance certification industry has a structural problem: the buyers of compliance reports are not always the parties bearing the risk if those reports are wrong. When a startup buys a SOC 2 to satisfy a procurement questionnaire, the enterprise asking for that report is the one relying on its accuracy. That misalignment creates incentive for exactly what is alleged here.

What to Do Now

If you’re a Delve client: Engage a qualified attorney before taking any public action. Commission an independent gap assessment to understand the actual state of your controls. If you operate in HIPAA-regulated environments, brief your privacy counsel immediately.

If you received a Delve-processed report from a vendor: Add enhanced questionnaires and direct evidence requests to your vendor review process. A SOC 2 report from this period may require independent verification.

If you’re evaluating compliance automation platforms: Require disclosure of the actual auditing firm, verify their CPA licensure independently, and speak directly with the auditor — not just the platform — about their methodology. If the auditor is a name you can’t independently verify, that’s a due diligence finding.

Compliance documentation exists to convey real information about real control environments. When it conveys nothing except the willingness to pay for a PDF, it fails everyone downstream who relied on it to make a risk decision.

That’s the Delve story, and it’s one the compliance profession needs to sit with.