Delve

delve.co

Monitoring

Critical Compliance Incident: Fabricated SOC 2 Reports

Delve was found to have systematically generated 494 fabricated SOC 2 reports for 378+ companies. Reports were 99.8% identical boilerplate. All compliance attestations issued through this platform should be treated as invalid.

Published Security Advisories

The Delve Compliance Scandal: 378 Companies, 494 Fabricated SOC 2 Reports

Published 2026-03-27 06:38

Critical

Active Incident

critical

Delve Fabricated SOC 2 Reports Scandal

Delve, a Y Combinator-backed compliance automation startup, systematically generated 494 fabricated SOC 2 reports for 378+ companies. Reports were 99.8% identical boilerplate with fabricated Type 2 monitoring data. Seven audit firms were identified routing work through the platform, with Accorp Partners handling the majority.

Affected Companies

351

Started

Dec 2025

Status

Active

View Timeline

Jul 2025: Delve raises $32M Series A at $300M valuation, led by Insight Partners Dec 2025: Publicly accessible Google Spreadsheet containing draft SOC 2 reports discovered Jan-Feb 2026: Former clients compare reports, identify systematic fabrication patterns Mar 19, 2026: Whistleblower 'DeepDelver' publishes Part I on Substack Mar 20, 2026: Delve calls allegations 'misleading', characterizes outputs as 'templates' Mar 21-22, 2026: TechCrunch investigation published. Additional security vulnerabilities disclosed Mar 23, 2026: Insight Partners removes investment thesis post. dupedbydelve.com launches Mar 24, 2026: Accorp Partners denies signing reports despite CPA license ID in all 494 reports Mar 26, 2026: LiteLLM (3.4M daily downloads) confirmed as Delve client. Lovable ($6.6B) confirms prior use Mar 27, 2026: Techimpossible advisory published with full 378-company dataset analysis