What is the Delve compliance fraud scandal?

Delve, a YC-backed GRC automation startup that raised $32M at a $300M valuation, systematically fabricated 494 SOC 2 and 81 ISO 27001 audit reports for hundreds of companies. Reports were generated from identical templates with pre-written auditor conclusions before any audit occurred.

Which companies were affected by the Delve fraud?

58 companies have been identified by name including Lovable, Bland, WisprFlow, Greptile, Incorta, Sully, Knowtex, Duos Edge AI (NASDAQ: DUOT), 11x, Cluely, Browser Use, HockeyStack, and dozens more. Approximately 436 additional companies remain unidentified.

What should I do if my company used Delve?

Immediately unpublish your Delve trust page, notify enterprise customers who received Delve reports, engage a legitimate CPA firm for a fresh audit, conduct a gap assessment, and consult legal counsel if you process PHI (HIPAA) or EU data (GDPR).

Who were Delve's auditors?

Accorp (primary SOC 2, 99%+ of clients) and Gradient Certification (primary ISO 27001) were the main auditors. Both were traced to Indian operations using virtual US addresses.

Which enterprise companies are downstream affected?

OpenAI, PayPal, Stripe, Amazon, IBM, Microsoft, U.S. Dept. of Veterans Affairs, Hertz, Klarna, Uber, Zendesk, Broadcom, Comcast, PwC, DoorDash, and others accepted compliance documentation from confirmed Delve customers.

Were You Duped by Delve?

494

Fabricated SOC 2 reports

Fake ISO 27001 forms

Companies identified by name

~436

Companies still unidentified

99.8%

Reports with identical boilerplate

$300M

Delve's valuation at Series A

Am I affected?

Affected companies

Duos Edge AISullyKnowtexSlashCoretsu Inc.ZiinaLovableBland+50 more

Search or select a risk tier above to view companies

What this means

If your company used Delve for compliance, your SOC 2, ISO 27001, HIPAA, or GDPR certifications are worthless. They were generated from identical templates with pre-written auditor conclusions — before your team provided any evidence.

HIPAA Exposure

Companies processing PHI (Sully, Knowtex, Bland, WisprFlow) face potential criminal liability. A fraudulent SOC 2 does not satisfy the HIPAA Security Rule's administrative safeguards.

GDPR Fines

Companies processing EU data face fines up to 4% of global annual revenue. A fraudulent ISO 27001 certificate voids the Article 32 "appropriate technical measures" defense.

SEC / Securities Fraud

Duos Edge AI (NASDAQ: DUOT) marketed "SOC 2 Type II–audited" status in SEC filings. The report claimed coverage for five trust service criteria but actually covered only Security.

Vendor Trust Collapse

Enterprise customers who accepted Delve reports during vendor reviews now have a gap in their third-party risk management audit trail.

The rubber-stamp auditors

Seven audit firms were identified. For high-profile clients, Delve used legitimate US-based firms (Prescient, Aprio), routing those engagements off-platform. Everyone else got rubber stamps.

Accorp

Primary SOC 2 auditor (99%+ of clients)

primary

Indian operations, virtual US/UAE addresses. License ID pre-embedded in all draft reports before any audit activity.

Gradient Certification

Primary ISO 27001 certifier

primary

Wyoming shell via mailbox agent. President at same Delhi address as Indian entity.

Glocert

Replacement ISO 27001 (post-leak)

secondary

Claims UK HQ; filed dormant accounts with Companies House 4 years running, zero revenue.

Accorian

Secondary SOC 2

secondary

Cover page swapped onto Accorp-generated reports. Coretsu report had wrong license ID.

DKPC

Additional

minor

Diwakar Kamath Professional Corporation.

Prudence Advisors

Additional

minor

Jay Maru.

BQC Assessment

Additional

minor

Identified during investigation.

What to do now

Every Delve customer needs to redo compliance from scratch with legitimate auditors. Here's the playbook.

Unpublish your Delve trust page

Remove any trust.delve.co page and take down compliance badges referencing Delve-issued reports immediately.

Notify enterprise customers

Any enterprise customer who received a Delve-issued SOC 2, ISO 27001, or other compliance report during a vendor review must be notified that the report is invalid.

Engage a legitimate CPA firm

Commission a fresh SOC 2 Type II audit from a reputable, AICPA-registered firm. Do not reuse any Delve artifacts — start from scratch.

Conduct a gap assessment

Delve's one-click evidence generation means your actual security posture may not match what was reported. Perform a thorough gap assessment against the controls in your original report.

Consult legal counsel

If you process PHI (HIPAA), EU personal data (GDPR), financial data, or federal data, consult counsel on disclosure obligations and potential liability.

Preserve evidence

Save copies of all Delve-issued reports, trust page screenshots, and communications. These may be needed for legal proceedings or regulatory inquiries.

Get the Impact Kit

Download the complete Delve Impact Kit — all 58 companies, risk tiers, remediation playbook, and enterprise exposure map in a shareable PDF.

We'll notify our team. No spam, no mailing list.

Downstream enterprise exposure

These enterprises accepted compliance documentation from confirmed Delve customers during vendor security reviews. WisprFlow's Delve case study claimed the company "closed hundreds of the Fortune 500" using Delve's SOC 2 report.

OpenAI

via Delve clients

PayPal

via Delve clients

Indeed.com

via Delve clients

Hertz

via Delve clients

Mercury

via WisprFlow

Superhuman

via WisprFlow

Stripe

via Greptile

Amazon

via Greptile

U.S. Department of Veterans Affairs

via Knowtex

IBM

via 11x

Klarna

via Lovable

Uber

via Lovable

Zendesk

via Lovable

Broadcom

via Incorta

Equinix

via Incorta

Comcast

via Incorta

Starbucks

via Incorta

Microsoft

via micro1 / Confident AI

PwC

via Magic Patterns

DoorDash

via Magic Patterns

Sunrun

via Remi

Brex

via 11x

DataStax

via 11x

BCG

via Confident AI

AstraZeneca

via Confident AI

AXA

via Confident AI

All 58 Affected Companies

Duos Edge AI (NASDAQ: DUOT) — Modular edge data centers for education, healthcare, AI compute · Compliance: SOC 2 · Data: K-12 student data, healthcare data, defense · Stage: Public (NASDAQ)

Sully — Autonomous AI agents for hospitals; integrates with Epic EHR · Compliance: SOC 2, HIPAA · Data: PHI for 100+ healthcare organizations · Stage: Series A ($32M)

Knowtex — Voice AI for clinicians; creates clinical notes and billing codes · Compliance: SOC 2, FedRAMP · Data: PHI; deployed by U.S. Department of Veterans Affairs · Stage: Seed ($2.5M)

Slash — Vertical banking: corporate cards, stablecoin payments, banking · Compliance: SOC 2 · Data: Financial data; $3B+ annualized volume · Stage: Series B ($60M)

Coretsu Inc. — Federal/government AI tools for congressional and regulatory use · Compliance: SOC 2 · Data: Federal government data; $90K lobbying spend · Stage: Early-stage

Ziina — UAE-licensed fintech: P2P payments, Visa cards, Open Finance · Compliance: SOC 2 · Data: Financial transactions, payment credentials, PII · Stage: Series A ($22M)

Lovable — AI "vibe coding" platform; 2.3M+ users, $200M+ ARR · Compliance: SOC 2, ISO 27001 · Data: User code, API keys, application data · Stage: Series B ($530M; $6.6B val)

Bland — AI phone call automation platform · Compliance: SOC 2, HIPAA · Data: Voice conversations, call recordings, PII · Stage: Series B ($65M)

Incorta — Real-time data analytics with Direct Data Mapping · Compliance: SOC 2 · Data: Enterprise business intelligence data · Stage: Series D ($202M)

WisprFlow — AI voice dictation across applications · Compliance: SOC 2, HIPAA · Data: Voice data, PII; 270+ Fortune 500 companies · Stage: Series A ext. ($81M)

Greptile — AI code review agent with full codebase context · Compliance: SOC 2 · Data: Source code for Stripe, Amazon, 250+ companies · Stage: Series A ($25M+)

11x — AI digital workers (Alice SDR, Julian phone agent) · Compliance: SOC 2 · Data: Prospect data, CRM integrations · Stage: Series B ($50M, a16z)

micro1 — AI talent vetting; data engine for frontier AI model training · Compliance: SOC 2 · Data: Expert PII, proprietary AI training data · Stage: Series A ($41.6M; $500M val)

Sentra — Cloud-native data security platform (DSPM) · Compliance: SOC 2 · Data: Scans petabytes of customer sensitive data by design · Stage: Series B ($100M+)

Ribbon AI — AI voice recruiting platform · Compliance: SOC 2 · Data: Candidate PII, voice recordings, resumes · Stage: Seed ($8M+)

HockeyStack — B2B marketing analytics and attribution · Compliance: SOC 2, ISO 27001, GDPR · Data: Marketing data, $20B+ managed ad spend · Stage: Series A ($22M)

Cluely — AI meeting tool (formerly interview cheating overlay) · Compliance: SOC 2 · Data: Meeting audio/video, user communications · Stage: Series A ($15M, a16z)

Browser Use — AI browser automation; converts interfaces for LLMs · Compliance: SOC 2 · Data: Web browsing data, potentially user credentials · Stage: Seed ($17M)

Remi — Roofing marketplace; AI contractor matching · Compliance: SOC 2 · Data: Homeowner PII, payment info · Stage: Series A ($21M)

RAEK — First-party data platform; converts anonymous visitors to profiles · Compliance: SOC 2 · Data: Millions of consumer PII records · Stage: Pre-seed (~$950K)

Instantly — AI sales engagement and cold email outreach · Compliance: SOC 2 · Data: 280M+ B2B contacts database, email communications · Stage: Growth stage

Levels.fyi — Tech salary comparison and career platform · Compliance: SOC 2 · Data: Salary data, compensation data, career info · Stage: Bootstrapped

LedgerUp — AI revenue lifecycle management (billing, invoicing) · Compliance: SOC 2 · Data: Contracts, invoices, payment data, revenue data · Stage: Seed (YC)

Axle Access — Corporate access platform for Wall Street · Compliance: SOC 2 · Data: Financial communications, investor-management data · Stage: Pre-seed ($1.5M)

Sunflower — AI-powered addiction/sobriety platform · Compliance: SOC 2 · Data: Health/behavioral data · Stage: YC F25

Dart — AI project management tool · Compliance: SOC 2 · Data: Project data · Stage: YC

Portant — Document workflow automation for Google Workspace · Compliance: SOC 2 · Data: Document data · Stage: Early-stage

Magic Patterns — AI UI design/prototyping from text prompts · Compliance: SOC 2 · Data: Design data · Stage: YC W23

Confident AI — LLM evaluation platform; created DeepEval · Compliance: SOC 2 · Data: AI evaluation data · Stage: YC

Cyberdesk — Computer use agent for automating legacy apps · Compliance: SOC 2 · Data: Application data · Stage: YC

s2.dev — Serverless API for real-time data streams · Compliance: SOC 2 · Data: Streaming data · Stage: YC F25

Coframe — AI website optimization platform · Compliance: SOC 2 · Data: Website analytics data · Stage: Early-stage

Keygen — Software licensing and distribution API · Compliance: SOC 2 · Data: License keys, customer data · Stage: Early-stage

Run Automat — Automation company · Compliance: SOC 2 · Data: Automation workflow data · Stage: Early-stage

DineU — Food/dining platform · Compliance: SOC 2 · Data: User data · Stage: Early-stage

Awaken Tax — Tax-related platform · Compliance: SOC 2 · Data: Tax/financial data · Stage: Early-stage

Pocket — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Rev Intelligence — Revenue intelligence platform · Compliance: SOC 2 · Data: Revenue data · Stage: Early-stage

Refine — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

aissist.io — AI assistant platform · Compliance: SOC 2 · Data: AI interaction data · Stage: Early-stage

CorePartners, Inc. — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Clado — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Judgment Labs — AI evaluation/testing · Compliance: SOC 2 · Data: AI evaluation data · Stage: Early-stage

Metorial — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Typeless — Typing/dictation tool · Compliance: SOC 2 · Data: User input data · Stage: Early-stage

Praxos — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Valence AI — AI platform · Compliance: SOC 2 · Data: AI data · Stage: Early-stage

Heynoah.io — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Betterness — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

General Agency — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Kernel — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Morph — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

DAERO — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Counsel — Legal tech · Compliance: SOC 2 · Data: Legal data · Stage: Early-stage

Context — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Soolv — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Sage — Unknown (not Sage Group plc) · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage

Pointer — Unknown · Compliance: SOC 2 · Data: Unknown · Stage: Early-stage