Delve Compliance Scandal — March 2026

Your compliance report
may be worthless.
Here's what to do next.

494 fabricated SOC 2 reports. 58 companies named. If you used Delve — or accepted a Delve report from a vendor — you need to act now.

Book a Free Assessment → Read the full breakdown ↓
Not sure if you're affected? Check the affected companies list →
Last updated: March 26, 2026. This situation is developing — we'll update this page as new information emerges.
494
Fabricated SOC 2
reports
58
Companies identified
by name
99.8%
Reports with identical
boilerplate
~436
Companies still
unidentified
Who's affected

Whether you used Delve or accepted a Delve report — you have a problem.

If you're a Delve customer

You're about to be buried in re-questionnaires.

Every enterprise customer who accepted your Delve report is going to send you a new security questionnaire. The companies that respond fast and transparently will keep their customers. The ones that delay will lose them.

Targhee answers questionnaires in hours, not weeks — from your actual docs
Every answer source-cited and human-reviewed before submission
Replace your Delve trust page with a legitimate Trust Center
Free trial — start responding to re-questionnaires today
Book a Free Assessment →
If you accepted a Delve report from a vendor

You have a gap in your vendor risk audit trail.

The compliance report you accepted as proof of vendor security may be fabricated. You need to re-assess every vendor whose documentation traces back to Delve — and you need to do it at scale.

Send re-assessment questionnaires to affected vendors in one click
AI scores every vendor response and flags gaps
SIG, CAIQ, NIST, or custom frameworks — all supported
Full audit trail for your own SOC 2 and regulatory compliance
Book a Free Assessment →
Why Targhee

Targhee is the opposite of what Delve did.

Delve fabricated compliance. Targhee helps you prove it — with answers from your actual documentation, every one traceable and human-approved.

What Delve did

Fabricated compliance

Pre-written auditor conclusions before any review
Identical boilerplate across 494 reports
Auto-generated evidence for processes that never happened
Trust pages live before any compliance work was done
Rubber-stamp auditors through shell companies
No traceability, no version history, no audit trail
What Targhee does

Proves compliance from your real docs

Every answer pulled from your actual policies and certifications
Source citation on every single answer — verifiable by your buyer
Nothing submitted without human review and approval
Trust Center gated behind real NDA with access logging
Confidence scores flag uncertain answers for manual attention
Full version history and audit trail on every submission
How it works

Responding to re-questionnaires in hours, not weeks.

Upload the questionnaire your enterprise customer just sent you. Targhee does the rest.

1

Upload the questionnaire

Drag in any format — Excel, PDF, Word, or portal link. Targhee parses every question and maps it to your knowledge base automatically.

2

AI drafts answers from your docs

Every answer is pulled from your actual security policies, audit reports, and past responses — with a source citation and confidence score. No fabrication. No templates.

3

Review, approve, submit

Your team reviews the AI's draft, edits anything flagged for human attention, and submits. Nothing goes out unreviewed. Your buyer can verify every claim.

Act now

The re-questionnaires are coming.
Be ready.

Book a free assessment today. We'll walk you through a real questionnaire in under 5 minutes — answered from your actual documentation, with source citations your buyers can verify.

Book a Free Assessment →
No credit card required. Paid plans from $12K/yr. See pricing →
The Full Breakdown

What Happened

In late 2025, a misconfigured Google Spreadsheet belonging to Delve — a compliance automation startup that had raised $32 million from Insight Partners at a $300 million valuation — was accidentally made public. The spreadsheet contained links to hundreds of confidential draft SOC 2 and ISO 27001 audit reports.

A group of former Delve customers, operating under the name "DeepDelver," investigated the leaked data and published their findings in a detailed Substack report in early 2026. TechCrunch subsequently confirmed and expanded on the story.

The findings were damning:

  • 493 out of 494 SOC 2 reports were nearly identical. The same paragraphs, the same grammatical errors, the same nonsensical descriptions — with only the company name and logo swapped out.
  • Auditor conclusions were pre-written. The "Independent Service Auditor's Report" and all test procedures existed in draft reports before clients had submitted any evidence. The conclusion existed before there was anything to audit.
  • Zero security incidents across 259 companies. Every single Type II report claimed zero incidents across the entire observation period. The statistical probability of this is effectively zero.
  • Rubber-stamp audit firms. Delve's "US-based CPA firms" traced to Indian certification mills operating through shell entities and mailbox agents.
  • Pre-fabricated evidence. The platform auto-generated passing evidence for employees who hadn't completed onboarding, fabricated board meeting minutes and risk assessments, and published fully populated trust pages before any compliance work had been done.

Delve has denied the allegations, characterizing itself as an "automation platform" that provides templates to auditors. However, Insight Partners has since scrubbed its investment thesis article about Delve, and Lovable — Delve's highest-profile customer at a $6.6 billion valuation — publicly confirmed it had already transitioned to Vanta months before the scandal broke.

Who's Affected

Delve Customers

Your SOC 2, ISO 27001, HIPAA, or GDPR certifications may be invalid. Reports were generated from identical templates with pre-written auditor conclusions — before your team provided any evidence. 58 companies have been identified by name, including Lovable, Bland, 11x, Incorta, WisprFlow, Greptile, micro1, and Sentra. Approximately 436 additional companies remain unidentified. Check the full list at dupedbydelve.com.

Enterprise Buyers Who Accepted a Delve Report

If any of your vendors provided a compliance report produced through Delve, you now have a gap in your third-party risk management audit trail. The dupedbydelve.com site lists downstream enterprise exposure including OpenAI, PayPal, Stripe, Amazon, Microsoft, and the U.S. Department of Veterans Affairs.

Regulated Industries

HIPAA: Companies processing PHI face potential criminal liability. A fraudulent SOC 2 does not satisfy the HIPAA Security Rule's administrative safeguards.

GDPR: Companies processing EU data face fines up to 4% of global annual revenue. A fraudulent ISO 27001 certificate voids the Article 32 defense.

Securities: At least one public company (Duos Edge AI, NASDAQ: DUOT) marketed "SOC 2 Type II–audited" status in SEC filings based on a Delve report.

What to Do Right Now

If You're a Delve Customer

1. Unpublish your Delve trust page immediately. Remove any trust.delve.co page and take down compliance badges referencing Delve-issued reports.
2. Notify your enterprise customers. Any customer who received a Delve-issued report during a vendor review must be told it may be invalid. Proactive transparency builds trust; silence destroys it.
3. Conduct a gap assessment. Delve's "one-click evidence generation" means your actual security posture may not match what was reported. You may discover gaps you didn't know existed.
4. Engage a legitimate CPA firm. Commission a fresh SOC 2 Type II audit from a reputable, AICPA-registered firm. Do not reuse any Delve artifacts — start from scratch.
5. Prepare for a wave of re-questionnaires. Every enterprise customer who accepted your Delve report is going to send you a new security questionnaire. The companies that respond quickly will retain customers; the ones that delay will lose them.
6. Consult legal counsel. If you process PHI, EU personal data, or financial data, you need legal advice on disclosure obligations and potential liability.
7. Preserve evidence. Save copies of all Delve-issued reports, trust page screenshots, and communications. These may be needed for legal proceedings.
Facing a wave of re-questionnaires? Targhee answers them in hours from your actual documentation — with source citations your buyers can verify. Every answer is human-reviewed before submission. Book a free assessment →

If You're an Enterprise Buyer

1. Audit your vendor compliance records. Check whether any vendor provided documentation produced through Delve. Look for SOC 2 reports issued by Accorp, Gradient Certification, Glocert, Accorian, or DKPC. Cross-reference with the dupedbydelve.com affected companies list.
2. Re-questionnaire affected vendors. Any vendor whose compliance report traces back to Delve needs to be re-assessed. Set a clear deadline. If you need to do this at scale, Targhee's Vendor Risk Assessment module lets you send outbound questionnaires with AI-powered risk scoring.
3. Update your vendor assessment process. Add these questions to your standard security questionnaire:
  • "What compliance automation platform did you use to prepare your SOC 2 report?"
  • "Who is the independent CPA firm that conducted your audit?"
  • "Can you provide their AICPA peer review number?"
  • "What was the observation period for your Type II report?"

These questions would have caught the Delve issue immediately.

4. Don't accept compliance reports at face value. Verify the auditor. Check the observation period. Look for company-specific details in Section 3 of the report. If the security program description sounds generic enough to apply to any company, it probably does.

The Bigger Lesson: Compliance Reports Are Not Security

The Delve scandal exploited a structural weakness in how the industry handles vendor security reviews: the entire system runs on trust, and nobody verifies.

The typical process today: enterprise buyer asks for a SOC 2 report, vendor provides a PDF, buyer's security team skims it and checks a box, deal proceeds. At no point does anyone verify that the auditor is real, that the observation period happened, or that the controls match reality.

Security reviews need to go deeper than a PDF. A SOC 2 report is a starting point, not an endpoint. Buyers should be asking follow-up questions about specific controls, requesting evidence of ongoing monitoring, and verifying auditor credentials independently.

Questionnaire responses need to be traceable. When a vendor answers "yes, we encrypt data at rest using AES-256," that answer should be linked to a specific policy document, with a version number and a timestamp. Not generated from a template. Sourced from the vendor's actual documentation.

This is what Targhee's questionnaire automation platform is built on: every answer traceable to a specific source document, with a citation, a confidence score, and a human reviewer who approved it. The Delve scandal is a reminder of why that distinction matters.

Trust Centers need to be verified, not decorative. A trust page that was live before any compliance work was done is worse than no trust page at all. A legitimate trust center should contain current, independently audited documents gated behind an NDA with access logging.

Vendor risk assessment needs to be continuous. A point-in-time SOC 2 report from 12 months ago doesn't tell you what's true today. Targhee's Vendor Risk Assessment module makes ongoing reassessment manageable at scale.

How Targhee Can Help

We built Targhee specifically for the scenario that Delve's affected companies are now facing: responding to a high volume of security questionnaires quickly, accurately, and defensibly.

For Delve Customers Facing Re-Questionnaires

  • Answer questionnaires in hours, not weeks. Upload any format and our AI drafts answers from your actual security documentation — your real policies, your legitimate audit reports, your actual architecture docs.
  • Every answer is source-cited. Every answer includes a citation to the specific document and section it was drawn from. Your enterprise customers can verify every claim.
  • Human review before anything goes out. Nothing is submitted without your team's explicit approval. Confidence scores flag uncertain answers for manual attention.
  • Replace your Delve trust page. Set up a legitimate, NDA-gated trust center where buyers can self-serve your actual compliance documents.

For Enterprise Buyers Re-Assessing Vendors

  • Send outbound questionnaires at scale. SIG, CAIQ, NIST, or custom frameworks — sent in one click with built-in reminders and deadline tracking.
  • AI-generated risk scores. Our AI reads every vendor response, cross-references supporting documents, and generates a risk score with specific findings.
  • Full audit trail. Every response, every score, every remediation — logged with timestamps and ready for your own auditors.
Ready to get started? Book a free assessment and we'll walk you through a real questionnaire in under 5 minutes. Book a free assessment → · See pricing →

Targhee Security is an AI-powered security questionnaire platform that helps B2B companies answer inbound questionnaires, share compliance docs via a Trust Center, and assess vendor risk — all from one platform. Unlike compliance automation tools that generate certificates, Targhee focuses on the questionnaire execution layer: answering questions from your actual documentation with source citations, confidence scores, and human review.

This page is provided for informational purposes. Targhee is not affiliated with Delve, any of the companies named in the investigation, or the dupedbydelve.com website. Companies should consult their own legal counsel regarding specific compliance obligations and potential liability.