The controversy round Delve seems to have price the compliance startup its relationship with accelerator Y Combinator.
Delve is not listed amongst YC’s listing of portfolio corporations, and the Delve web page appears to have been faraway from the YC web site. As well as, the startup’s COO Selin Kocalar posted on X that “YC and Delve have parted methods.”
“I nonetheless keep in mind the day we took our YC interview at MIT,” Kocalar stated. “We’re so grateful to the group and each founder buddy we’ve made.”
YC isn’t the primary investor to distance themselves from Delve. Perception Companions additionally seems to have deleted posts about its funding within the firm, though its main weblog publish was later restored.
In the meantime, Delve continues to push again towards nameless claims that it misled shoppers by telling them they have been compliant with privateness and safety laws whereas allegedly skipping essential necessities and auto-generating stories for “certification mills that rubber stamp stories.”
These claims have been first revealed in an nameless Substack publish attributed to “DeepDelver,” who described themselves as a former Delve buyer who grew to become suspicious after receiving leaked information in regards to the startup’s shoppers.
DeepDelver revealed subsequent posts sharing what they stated have been Slack and video posts from the corporate, in addition to accusing Delve of passing off an open supply instrument as its personal, with out giving credit score or reaching an settlement with the developer. A safety researcher additionally stated he was capable of entry delicate Delve information.
Techcrunch occasion
San Francisco, CA
|
October 13-15, 2026
In the meantime, Delve grew to become a part of a associated controversy when malware was found in an open supply venture developed by Delve buyer LiteLLM.
Within the firm’s newest weblog publish, Delve’s COO Kocalar and CEO Karun Kaushik declared their intention to set “the file straight on nameless assaults.” Amongst different issues, they claimed that the corporate has employed a cybersecurity agency “to assist us perceive what occurred,” and stated the “proof factors to a malicious assault slightly than a real whistleblower.”
“It seems that an attacker bought Delve beneath false pretenses, maliciously exfiltrated information, together with Delve’s inside firm information, and used it to launch a coordinated smear marketing campaign towards us,” they stated. The weblog publish additionally features a screenshot that they stated “reveals the attacker exfiltrating our audit monitoring spreadsheet by way of file.io.”
Past this accusation, Delve additionally described DeepDelver’s criticism as “a mixture of fabricated claims, cherry-picked screenshots, and information taken out of context.” For instance, they stated DeepDelver “dismisses our AI whereas acknowledging it automated 70% of a safety questionnaire.”
On the query of utilizing open supply instruments, Delve stated it “constructed on an Apache 2.0 open-source repository, which explicitly permits industrial use, and considerably rebuilt it for compliance use circumstances.”
Nevertheless, the executives additionally stated they’ve been taking steps to make sure clients “really feel assured in our platform and compliance outcomes.”
These steps supposedly embrace cleansing up the corporate’s community to take away auditing companies “that don’t meet our requirements,” “providing complimentary re-audits and penetration checks to all lively clients,” and making it “unambiguously clear” that Delve’s templates for issues like board assembly notes “are designed to be beginning factors solely.”
In a publish on X, Kaushik made lots of the similar factors but additionally stated, “[W]e grew too quick and fell in need of our personal normal. To our clients, we deeply apologize for the inconveniences prompted.”
TechCrunch has reached out to Y Combinator and DeepDelver for any response to Delve’s feedback.
