The Delve Compliance Scandal: What It Means for Your Security Reviews - and What to Do Next

Published March 2026 · Targhee Security

A YC-backed compliance startup valued at $300M systematically fabricated hundreds of SOC 2, ISO 27001, HIPAA, and GDPR audit reports. 494 reports. 58 companies identified by name. Countless enterprise buyers who accepted those reports as proof of vendor security.

If you're a company that used Delve, a vendor whose supplier used Delve, or an enterprise buyer who accepted a Delve-issued report during a security review — this article is for you.

We'll cover what happened, who's affected, what you need to do right now, and how the industry needs to rethink vendor security reviews going forward.

What Happened

In late 2025, a misconfigured Google Spreadsheet belonging to Delve — a compliance automation startup that had raised $32 million from Insight Partners at a $300 million valuation — was accidentally made public. The spreadsheet contained links to hundreds of confidential draft SOC 2 and ISO 27001 audit reports.

A group of former Delve customers, operating under the name "DeepDelver," investigated the leaked data and published their findings in a detailed Substack report in early 2026. TechCrunch subsequently confirmed and expanded on the story.

The findings were damning:

• 493 out of 494 SOC 2 reports were nearly identical. The same paragraphs, the same grammatical errors (including "because there no security incidents"), the same nonsensical descriptions — with only the company name and logo swapped out.

• Auditor conclusions were pre-written. The "Independent Service Auditor's Report" and all test procedures existed in draft reports before clients had submitted any evidence. The conclusion existed before there was anything to audit.

• Zero security incidents across 259 companies. Every single Type II report claimed zero incidents across the entire observation period. The statistical probability of this across 259 separate companies is effectively zero.

• Rubber-stamp audit firms. Delve's "US-based CPA firms" traced to Indian certification mills operating through shell entities and mailbox agents. The primary ISO 27001 certifier, Gradient Certification, was registered in Wyoming through a mailbox agent and filed dormant accounts with Companies House for four consecutive years.

• Pre-fabricated evidence. The platform auto-generated passing evidence for employees who hadn't completed onboarding, fabricated board meeting minutes and risk assessments, and published fully populated trust pages the moment clients first logged in — before any compliance work had been done.

Delve has denied the allegations, characterizing itself as an "automation platform" that provides templates to auditors rather than producing attestations. However, Insight Partners has since scrubbed its investment thesis article about Delve, and Lovable — Delve's highest-profile customer at a $6.6 billion valuation — publicly confirmed it had already transitioned to Vanta months before the scandal broke.

Who's Affected

The impact extends far beyond Delve's direct customers.

If You're a Delve Customer

Your SOC 2, ISO 27001, HIPAA, or GDPR certifications may be invalid. According to the investigation, reports were generated from identical templates with pre-written auditor conclusions — before your team provided any evidence. This means your actual security controls may not have been tested or verified.

58 companies have been identified by name, including Lovable, Bland, 11x, Incorta, WisprFlow, Greptile, micro1, and Sentra. Approximately 436 additional companies remain unidentified.

If You're an Enterprise Buyer Who Accepted a Delve Report

If any of your vendors provided a SOC 2 or ISO 27001 report during a security review, and that report was produced through Delve, you now have a gap in your third-party risk management audit trail. The report you accepted as evidence of your vendor's security posture may be worthless.

The dupedbydelve.com website lists downstream enterprise exposure including OpenAI, PayPal, Stripe, Amazon, Microsoft, and the U.S. Department of Veterans Affairs — all of which accepted compliance documentation from confirmed Delve customers during vendor security reviews.

If You're in a Regulated Industry

The exposure is especially acute for companies processing protected health information (HIPAA), EU personal data (GDPR), or financial data:

• HIPAA: Companies processing PHI face potential criminal liability. A fraudulent SOC 2 does not satisfy the HIPAA Security Rule's administrative safeguards. The Office for Civil Rights does not distinguish between "we didn't know our compliance was fake" and deliberate fraud when patient data is at risk.

• GDPR: Companies processing EU data face fines up to 4% of global annual revenue. A fraudulent ISO 27001 certificate voids the Article 32 "appropriate technical measures" defense.

• Securities: At least one public company (Duos Edge AI, NASDAQ: DUOT) marketed "SOC 2 Type II–audited" status in SEC filings based on a Delve report.

What to Do Right Now

If You're a Delve Customer

1. Unpublish your Delve trust page immediately. Remove any trust.delve.co page and take down compliance badges referencing Delve-issued reports. Every day these remain live, you're making representations about your security posture based on potentially fabricated evidence.

2. Notify your enterprise customers. Any customer who received a Delve-issued SOC 2, ISO 27001, or other compliance report during a vendor review must be told the report may be invalid. This is uncomfortable, but the alternative — your customer discovering it themselves — is far worse. Proactive transparency builds trust; silence destroys it.

3. Conduct a gap assessment. Delve's "one-click evidence generation" means your actual security posture may not match what was reported. You need an honest assessment of where you actually stand against the controls in your original report. This is the most important step: you may discover gaps you didn't know existed.

4. Engage a legitimate CPA firm. Commission a fresh SOC 2 Type II audit from a reputable, AICPA-registered firm. Do not reuse any Delve artifacts — start from scratch. Verify the auditor independently: look up their AICPA peer review, check for an actual office (not a virtual address), and confirm they have a track record of real engagements.

5. Prepare for a wave of re-questionnaires. Every enterprise customer who accepted your Delve report is going to send you a new security questionnaire. This is coming — plan for it now. The companies that respond quickly and transparently will retain their customers; the ones that delay or deflect will lose them.

6. Consult legal counsel. If you process PHI, EU personal data, financial data, or federal data, you need legal advice on disclosure obligations and potential liability. The "we relied on our compliance vendor" argument has limited legal currency — the compliance obligation belonged to your organization, not to Delve.

7. Preserve evidence. Save copies of all Delve-issued reports, trust page screenshots, communications with Delve, and any internal discussions about compliance. These may be needed for legal proceedings or regulatory inquiries.

If You're an Enterprise Buyer

1. Audit your vendor compliance records. Check whether any vendor in your ecosystem provided compliance documentation that was produced through Delve. Specifically, look for SOC 2 reports issued by Accorp, Gradient Certification, Glocert, Accorian, or DKPC — the audit firms identified in the investigation.

2. Re-questionnaire affected vendors. Any vendor whose compliance report traces back to Delve needs to be re-assessed. Send them a new security questionnaire and request fresh, independently audited documentation. Set a clear deadline.

3. Update your vendor assessment process. Add these questions to your standard vendor security questionnaire:

• "What compliance automation platform did you use to prepare your SOC 2 report?"

• "Who is the independent CPA firm that conducted your audit?"

• "Can you provide their AICPA peer review number?"

• "What was the observation period for your Type II report?"

These questions would have caught the Delve issue immediately.

4. Don't accept compliance reports at face value. This scandal proves that a SOC 2 badge on a website doesn't mean anything by itself. Verify the auditor. Check the observation period. Look for company-specific details in Section 3 of the report. If the security program description sounds generic enough to apply to any company, it probably does.

The Bigger Lesson: Compliance Reports Are Not Security

The Delve scandal didn't happen in a vacuum. It exploited a structural weakness in how the industry handles vendor security reviews: the entire system runs on trust, and nobody verifies.

The typical vendor security review process today looks like this:

1. Enterprise buyer asks vendor for a SOC 2 report

2. Vendor provides a PDF

3. Buyer's security team skims it and checks a box

4. Deal proceeds

At no point does anyone verify that the auditor is real, that the observation period actually happened, or that the controls described in the report match reality. The Delve scandal proves that this process is fundamentally broken.

What Needs to Change

Security reviews need to go deeper than a PDF. A SOC 2 report is a starting point, not an endpoint. Enterprise buyers should be asking follow-up questions about specific controls, requesting evidence of ongoing monitoring, and verifying auditor credentials independently.

Questionnaire responses need to be traceable. When a vendor answers "yes, we encrypt data at rest using AES-256," that answer should be linked to a specific policy document, with a version number and a timestamp. Not generated from a template. Not hallucinated by a chatbot. Sourced from the vendor's actual documentation.

This is something we think about constantly at Targhee. Our entire platform is built on the principle that every answer in a security questionnaire should be traceable to a specific source document — with a citation, a confidence score, and a human reviewer who approved it before it was sent. We built it this way because we believe security review answers should be auditable, not just plausible. The Delve scandal is a stark reminder of why that distinction matters.

Trust Centers need to be verified, not decorative. A trust page that was live before any compliance work was done — as Delve allegedly provided — is worse than no trust page at all. A legitimate trust center should contain documents that are current, independently audited, and gated behind an NDA that creates a real access trail.

Vendor risk assessment needs to be continuous. A point-in-time SOC 2 report from 12 months ago doesn't tell you what's true today. Enterprise buyers should be reassessing vendors on a regular cadence — and they should have tooling that makes this manageable at scale, not a manual spreadsheet exercise.

How Targhee Can Help

We built Targhee specifically for the scenario that Delve's affected companies are now facing: responding to a high volume of security questionnaires quickly, accurately, and defensibly.

If You're a Delve Customer Facing Re-Questionnaires

You're about to receive a wave of "prove your compliance is real" requests from every enterprise customer who accepted your old Delve report. Targhee can help you:

• Answer those questionnaires in hours, not weeks. Upload any questionnaire format (Excel, PDF, Word, portal) and our AI drafts answers from your actual security documentation — your real policies, your legitimate audit reports, your actual architecture docs.

• Every answer is source-cited. Unlike the fabricated Delve reports, every answer Targhee generates includes a citation to the specific document and section it was drawn from. Your enterprise customers can verify every claim.

• Human review before anything goes out. Nothing is submitted without your team's explicit review and approval. Confidence scores flag any answer the AI isn't sure about so a human can step in.

• Set up a Trust Center. Replace your Delve trust page with a legitimate, NDA-gated trust center where buyers can self-serve your actual compliance documents. Most customers see a 75% reduction in inbound questionnaires once their Trust Center is live.

If You're an Enterprise Buyer Re-Assessing Vendors

You need to re-questionnaire every vendor whose compliance documentation may have come from Delve. Targhee's Vendor Risk Assessment module lets you:

• Send outbound questionnaires at scale. SIG, CAIQ, NIST, or custom frameworks — sent in one click with built-in reminders and deadline tracking.

• AI-generated risk scores. Our AI reads every vendor response, cross-references supporting documents, and generates a risk score with specific findings.

• Full audit trail. Every response, every score, every remediation — logged with timestamps and ready for your own auditors.

Moving Forward

The Delve scandal is going to reshape how the industry thinks about vendor compliance. Trust pages will be scrutinized more carefully. SOC 2 reports will be verified, not just accepted. Security questionnaire volume is going to increase across the board as enterprise buyers tighten their vendor review processes.

For companies that take compliance seriously, this is actually an opportunity. The vendors who respond to this moment with transparency, speed, and defensible answers will earn more trust — not less. The ones who delay, deflect, or try to hide will lose customers to competitors who stepped up.

If you're facing a wave of re-questionnaires, or if you're an enterprise buyer who needs to re-assess your vendor ecosystem, we're here to help. Start with a free trial, or request a demo and we'll walk you through a real questionnaire in under 5 minutes.

Start Free Trial → · Request a Demo → · See Pricing →

Targhee Security is an AI-powered security questionnaire platform that helps B2B companies answer inbound questionnaires, share compliance docs via a Trust Center, and assess vendor risk — all from one platform. Unlike compliance automation tools that generate certificates, Targhee focuses on the questionnaire execution layer: answering questions from your actual documentation with source citations, confidence scores, and human review.

This article is provided for informational purposes. Targhee is not affiliated with Delve, any of the companies named in the investigation, or the dupedbydelve.com website. Companies should consult their own legal counsel regarding specific compliance obligations and potential liability.