The compliance startup Delve has been dropped from the Y Combinator (YC) portfolio, signaling a significant fallout following accusations of misleading clients and questionable operational practices. The company is no longer listed on YC’s website, and Delve COO Selin Kocalar confirmed the split on X, stating, “YC and Delve have parted ways.” This move follows similar distancing by Insight Partners, who temporarily removed mentions of their investment before restoring some content.
The Core of the Controversy
The dispute centers around claims made by an anonymous source, “DeepDelver,” who alleges Delve misrepresented its compliance capabilities, potentially selling ineffective certifications to clients. DeepDelver shared leaked data and internal communications suggesting Delve automated reports for questionable certification mills while skipping necessary due diligence.
The accusations escalated further when malware was discovered in an open-source project used by a Delve customer, LiteLLM. While the exact connection remains unclear, this incident adds to the growing scrutiny around Delve’s security and operational integrity.
Delve’s Response: Attack or Whistleblowing?
Delve executives Karun Kaushik and Selin Kocalar have vehemently denied the claims, calling them a coordinated smear campaign orchestrated by a malicious actor. They claim an attacker purchased access under false pretenses, exfiltrated data, and used it to damage Delve’s reputation.
The company asserts it has hired a cybersecurity firm to investigate, pointing to evidence of data theft and accusing DeepDelver of fabrication and selective evidence presentation. They also defend their use of open-source tools, arguing they complied with licensing terms and significantly improved the software for compliance purposes.
Damage Control Measures
To mitigate the fallout, Delve announced several corrective actions:
- Removing auditing firms that don’t meet their standards.
- Offering complimentary re-audits and penetration tests to existing customers.
- Clarifying that their templates are meant as starting points, not final compliance solutions.
CEO Kaushik acknowledged the company grew too quickly, falling short of its own standards, and issued an apology to affected customers.
“We grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused.” — Karun Kaushik
What This Means
Delve’s situation highlights the risks inherent in fast-growing startups that prioritize scale over verification. The accusations, whether true or false, have damaged investor trust and raise questions about the rigor of compliance in the tech sector. The departure from Y Combinator is a stark signal that even highly selective accelerators will cut ties with companies facing serious integrity concerns.
The incident underscores the importance of transparency, data security, and thorough due diligence for both startups and their clients. Without these, even promising ventures can unravel quickly under scrutiny.
