The controversy round Delve seems to have value the compliance startup its relationship with accelerator Y Combinator.
Delve is not listed amongst YC’s listing of portfolio corporations, and the Delve page appears to have been faraway from the YC web site. As well as, the startup’s COO Selin Kocalar posted on X that “YC and Delve have parted methods.”
“I nonetheless keep in mind the day we took our YC interview at MIT,” Kocalar mentioned. “We’re so grateful to the group and each founder good friend we’ve made.”
YC isn’t the primary investor to distance themselves from Delve. Perception Companions additionally seems to have deleted posts about its funding within the firm, though its main weblog put up was later restored.
In the meantime, Delve continues to push again in opposition to nameless claims that it misled purchasers by telling them they had been compliant with privateness and safety laws whereas allegedly skipping necessary necessities and auto-generating studies for “certification mills that rubber stamp studies.”
These claims had been first revealed in an anonymous Substack post attributed to “DeepDelver,” who described themselves as a former Delve buyer who turned suspicious after receiving leaked knowledge concerning the startup’s purchasers.
DeepDelver revealed subsequent posts sharing what they mentioned had been Slack and video posts from the corporate, in addition to accusing Delve of passing off an open supply device as its personal, with out giving credit score or reaching an settlement with the developer. A safety researcher additionally mentioned he was in a position to access sensitive Delve data.
Techcrunch occasion
San Francisco, CA
|
October 13-15, 2026
In the meantime, Delve turned a part of a associated controversy when malware was found in an open supply mission developed by Delve buyer LiteLLM.
In the company’s latest blog post, Delve’s COO Kocalar and CEO Karun Kaushik declared their intention to set “the file straight on nameless assaults.” Amongst different issues, they claimed that the corporate has employed a cybersecurity agency “to assist us perceive what occurred,” and mentioned the “proof factors to a malicious assault relatively than a real whistleblower.”
“It seems that an attacker bought Delve beneath false pretenses, maliciously exfiltrated knowledge, together with Delve’s inside firm knowledge, and used it to launch a coordinated smear marketing campaign in opposition to us,” they mentioned. The weblog put up additionally features a screenshot that they mentioned “reveals the attacker exfiltrating our audit monitoring spreadsheet by way of file.io.”
Past this accusation, Delve additionally described DeepDelver’s criticism as “a mixture of fabricated claims, cherry-picked screenshots, and knowledge taken out of context.” For instance, they mentioned DeepDelver “dismisses our AI whereas acknowledging it automated 70% of a safety questionnaire.”
On the query of utilizing open supply instruments, Delve mentioned it “constructed on an Apache 2.0 open-source repository, which explicitly permits industrial use, and considerably rebuilt it for compliance use instances.”
Nevertheless, the executives additionally mentioned they’ve been taking steps to make sure prospects “really feel assured in our platform and compliance outcomes.”
These steps supposedly embody cleansing up the corporate’s community to take away auditing companies “that don’t meet our requirements,” “providing complimentary re-audits and penetration checks to all energetic prospects,” and making it “unambiguously clear” that Delve’s templates for issues like board assembly notes “are designed to be beginning factors solely.”
In a post on X, Kaushik made lots of the identical factors but in addition mentioned, “[W]e grew too quick and fell in need of our personal normal. To our prospects, we deeply apologize for the inconveniences prompted.”
TechCrunch has reached out to Y Combinator and DeepDelver for any response to Delve’s feedback.
