Lovable ($6.6B) says they remediated the issue months ago — see their post
494 compliance reports. All fabricated.
Delve, a YC-backed GRC startup valued at $300M, systematically generated fake SOC 2, ISO 27001, HIPAA, and GDPR audit reports for hundreds of companies. 58 have been identified by name. Check if you're affected.
Lovable — Delve's highest-value customer at a $6.6 billion valuation and the company name-dropped in virtually every Delve sales call — says they already transitioned to Vanta for their compliance program months before the scandal broke.
First public acknowledgment from any of the 58 named Delve customers. See their LinkedIn post
Search or select a risk tier above to view companies
If your company used Delve for compliance, your SOC 2, ISO 27001, HIPAA, or GDPR certifications are worthless. They were generated from identical templates with pre-written auditor conclusions — before your team provided any evidence.
Companies processing PHI (Sully, Knowtex, Bland, WisprFlow) face potential criminal liability. A fraudulent SOC 2 does not satisfy the HIPAA Security Rule's administrative safeguards.
Companies processing EU data face fines up to 4% of global annual revenue. A fraudulent ISO 27001 certificate voids the Article 32 "appropriate technical measures" defense.
Duos Edge AI (NASDAQ: DUOT) marketed "SOC 2 Type II–audited" status in SEC filings. The report claimed coverage for five trust service criteria but actually covered only Security.
Enterprise customers who accepted Delve reports during vendor reviews now have a gap in their third-party risk management audit trail.
Seven audit firms were identified. For high-profile clients, Delve used legitimate US-based firms (Prescient, Aprio), routing those engagements off-platform. Everyone else got rubber stamps.
Primary SOC 2 auditor (99%+ of clients)
Indian operations, virtual US/UAE addresses. License ID pre-embedded in all draft reports before any audit activity.
Primary ISO 27001 certifier
Wyoming shell via mailbox agent. President at same Delhi address as Indian entity.
Replacement ISO 27001 (post-leak)
Claims UK HQ; filed dormant accounts with Companies House 4 years running, zero revenue.
Secondary SOC 2
Cover page swapped onto Accorp-generated reports. Coretsu report had wrong license ID.
Additional
Diwakar Kamath Professional Corporation.
Additional
Jay Maru.
Additional
Identified during investigation.
Every Delve customer needs to redo compliance from scratch with legitimate auditors. Here's the playbook.
Remove any trust.delve.co page and take down compliance badges referencing Delve-issued reports immediately.
Any enterprise customer who received a Delve-issued SOC 2, ISO 27001, or other compliance report during a vendor review must be notified that the report is invalid.
Commission a fresh SOC 2 Type II audit from a reputable, AICPA-registered firm. Do not reuse any Delve artifacts — start from scratch.
Delve's one-click evidence generation means your actual security posture may not match what was reported. Perform a thorough gap assessment against the controls in your original report.
If you process PHI (HIPAA), EU personal data (GDPR), financial data, or federal data, consult counsel on disclosure obligations and potential liability.
Save copies of all Delve-issued reports, trust page screenshots, and communications. These may be needed for legal proceedings or regulatory inquiries.
Download the complete Delve Impact Kit — all 58 companies, risk tiers, remediation playbook, and enterprise exposure map in a shareable PDF.
We'll notify our team. No spam, no mailing list.
These enterprises accepted compliance documentation from confirmed Delve customers during vendor security reviews. WisprFlow's Delve case study claimed the company "closed hundreds of the Fortune 500" using Delve's SOC 2 report.