Breaking
RUДвижение на выезде из Ярославля в сторону Москвы перекрыто из-за атаки БПЛАCN強颱巴威逼近!氣象署:週四晚起北台灣轉雨,各地風雨不可小覷DERussland greift ukrainische Städte mit Drohnen und Raketen anKR증평군, 먹거리통합지원센터 본격 가동…지역 농업 경쟁력 강화CN云南蓝莓搭乘中老铁路“澜湄快线”出口东南亚CN屏東東港南平海岸傳溺水憾事 17歲高中生戲水失聯不治KR파주시, 드론 활용 말라리아 매개 모기 유충 방제 사업 추진FRBrésil : la fin d'un mythe, la Seleçao éliminée de la Coupe du MondeARالنرويج تحتفل بـ"المعجزة" بعد إقصاء البرازيل والتأهل لربع نهائي المونديالCN達美航空航班降落芝加哥時疑似遭煙火擊中,FAA已展開調查RUДвижение на выезде из Ярославля в сторону Москвы перекрыто из-за атаки БПЛАCN強颱巴威逼近!氣象署:週四晚起北台灣轉雨,各地風雨不可小覷DERussland greift ukrainische Städte mit Drohnen und Raketen anKR증평군, 먹거리통합지원센터 본격 가동…지역 농업 경쟁력 강화CN云南蓝莓搭乘中老铁路“澜湄快线”出口东南亚CN屏東東港南平海岸傳溺水憾事 17歲高中生戲水失聯不治KR파주시, 드론 활용 말라리아 매개 모기 유충 방제 사업 추진FRBrésil : la fin d'un mythe, la Seleçao éliminée de la Coupe du MondeARالنرويج تحتفل بـ"المعجزة" بعد إقصاء البرازيل والتأهل لربع نهائي المونديالCN達美航空航班降落芝加哥時疑似遭煙火擊中,FAA已展開調查
Newsgather
BackDelve Compliance Startup Faces Multiple Controversies as More Customers Ditch After Whistleblower Allegations
Delve Compliance Startup Faces Multiple Controversies as More Customers Ditch After Whistleblower Allegations
Developing
TechCrunch4/23/2026Tech3 min readUnited States

Delve Compliance Startup Faces Multiple Controversies as More Customers Ditch After Whistleblower Allegations

Context AI confirms Delve handled its security certification before Vercel breach; whistleblower claims Hawaii trip while denying refunds

Quick Look

  • Delve, a compliance startup that performs security certifications, faces mounting controversies after a whistleblower alleged faking customer data and using rubber-stamping auditors.
  • TechCrunch confirmed Delve certified Context AI, whose security incident led to a data breach at Vercel.
  • Context AI and Lovable have both left Delve and are re-certifying with other firms.

AI-generated summary

Why It Matters

Delve was a Y Combinator-backed compliance startup that performed security certifications for AI and tech companies. After whistleblower allegations of faking data and using inadequate auditors, multiple customers have left. The controversy escalated when a breach at Context AI led to Vercel being hacked.

Font size

The story of embattled compliance startup Delve keeps hitting twists and turns. TechCrunch has confirmed that Delve was the compliance company that performed the security certifications for Context AI, the AI agent training startup that last week disclosed a security incident which led to a data breach at popular app and website hosting giant Vercel. On the other hand, Lovable, which had its own security incident, is no longer a Delve customer.

To recap: Last month, Delve came under fire when an anonymous whistleblower alleged that the startup was faking customer data, and using rubber-stamping auditors in its compliance and certifications processes. Delve has denied those allegations. Soon afterwards, hackers attacked one of Delve's security certification customers, LiteLLM, and planted malware in its open source code. After the incident, LiteLLM told TechCrunch it was dumping Delve and getting re-certified.

Delve was also accused of taking an open source tool and passing it off as its own work without proper license attribution. The startup's reputation grew shaky, prompting Y Combinator, where Delve graduated from, to sever ties.

Fast forward to last weekend, Vercel said hackers had breached its internal systems and accessed some customer data. The company said hackers broke in after an employee downloaded an app made by Context AI and connected that app to Vercel's corporate account hosted by Google. The hackers abused that employee's access to their Google account to break into some of Vercel's internal systems.

After Context AI was named in the Vercel attack, Gergely Orosz, author of the engineering newsletter, The Pragmatic Engineer, said in a post on X that Delve was the company that handled Context AI's security certification. Context AI has now confirmed to TechCrunch that it did use Delve, but it has since ditched the startup and is in the process of getting re-certified.

"Yes, Context was previously a Delve customer," a spokesperson for Context AI told TechCrunch. "Following the reporting surrounding Delve in March, we transitioned our compliance program to Vanta and engaged Insight Assurance, an independent audit firm, to conduct new examinations. As part of the re-examination, we began updating our public materials, and we'll share the new attestation when it is complete," the spokesperson added.

Security certifications on their own don't stop security issues. They are intended to verify that a company has policies and processes in place to hinder attacks and reduce the likelihood of customer data being compromised. Case in point: Lovable was a Delve customer, but after the whistleblower's allegations came out, the vibe-coding platform said it had ditched the startup back in late 2025. The company has already re-completed one security certification, and is in process of redoing others, it said.

Still, Lovable on Monday admitted that it had inadvertently shared access to customer chat data publicly. The company also said it had dismissed vulnerability reports that alerted the company to the problem months earlier. Lovable apologized for initially denying there was a data breach, though it said the issue was caused by a configuration error, rather than a hack.

There's even weirder news swirling around Delve. The anonymous whistleblower, DeepDelver, has published another post alleging Delve was denying refunds to customers, but still took its team of more than 20 people to an offsite meeting in Hawaii between April 15 and April 19. The whistleblower shared some compelling receipts with TechCrunch that lend credence to the alleged Hawaii trip, but TechCrunch could not confirm other claims. Delve did not respond to requests for comment and confirmation, and an email sent to its media relations address bounced.

What to Watch

AI outlook — possibilities, not facts

  • More Delve customers will switch to competitors like Vanta for compliance certification

    Very likely · Within weeks

  • Delve may face legal action from customers seeking refunds

    Likely · Within months

  • Regulatory investigation into Delve's certification practices

    Possible · Within months

Open Questions

  • Did Delve actually fake customer data as alleged?
  • Was the Hawaii trip actually funded by denied refunds?
  • How many more customers will leave Delve?
  • Will there be regulatory action against Delve?

Related Topics

This article was originally published by TechCrunch.

Related Stories

More on this topicdelve