This week, a detailed investigation published on Substack by a group writing under the name DeepDelver exposed what may be one of the most significant compliance fraud cases in recent memory. Delve, a compliance automation startup that raised $32 million from Insight Partners and was backed by Y Combinator, is accused of systematically generating fabricated SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients.
The allegations are based on a leaked Google spreadsheet containing links to hundreds of draft audit reports. The investigation claims that 493 out of 494 SOC 2 reports contained identical boilerplate text — same grammatical errors, same nonsensical sentences — with only the company name, logo, and signature swapped in. Auditor conclusions were reportedly pre-written in draft reports before clients even submitted their company descriptions. The auditing firms marketed as “US-based CPA firms” were traced to entities operating out of India through virtual office addresses and shell registrations.
Delve published a response today calling the claims “misleading” and characterizing themselves as a platform that simply assists with compliance workflows while independent auditors issue final reports. Whether that framing holds up is a question for regulators and, potentially, courts. But for the hundreds of companies that used Delve — many of them handling protected health information or personal data of EU residents — the more immediate question is: what is your actual legal exposure right now?
That's what this post is about.
“Our vendor handled compliance” is not a legal defense
The instinct of every affected company will be to point at Delve. We paid them. They told us we were compliant. We relied on their platform and their auditors. That framing may be emotionally satisfying, but it does not hold up under any of the major regulatory frameworks.
Under HIPAA, the compliance obligation belongs to the covered entity. Full stop. The HIPAA Security Rule requires covered entities and business associates to conduct their own risk analysis, implement safeguards, and document everything. HHS's Office for Civil Rights does not distinguish between “we didn't do it” and “we paid someone who didn't do it.” A covered entity can be held liable for a business associate's violations if it knew, or through reasonable diligence should have known, of a pattern of non-compliance. If your SOC 2 report was fabricated and your security controls were never actually verified, you don't have a compliance program — you have a PDF.
Civil penalties for HIPAA violations currently range from $145 per violation up to $2.19 million per violation for willful neglect. Criminal penalties for knowing violations can reach $250,000 and up to 10 years imprisonment. And critically, penalties are assessed per violation — a single systemic failure affecting thousands of patient records can be treated as thousands of individual violations.
Under GDPR, the picture is equally stark. Article 83(5) imposes fines of up to €20 million or 4% of annual global turnover for violations of core data processing principles, data subject rights, and cross-border transfer rules. Article 83(4) covers violations of controller and processor obligations at up to €10 million or 2% of turnover. If your GDPR compliance documentation was fabricated, the underlying data protection controls it was supposed to evidence may not actually be in place. That's not a documentation problem. That's a substantive violation affecting every individual whose data you process.
Under the CPRA (California Privacy Rights Act), the California Privacy Protection Agency can impose fines of up to $2,500 per violation or $7,500 per intentional violation. Section 1798.150 also provides a private right of action for data breaches involving sensitive personal information, with statutory damages of $100 to $750 per consumer per incident. If your compliance posture was based on fabricated audit evidence, and a breach occurs, you face both regulatory action and direct litigation from affected consumers.
The pattern across all these frameworks is the same: the obligation to comply is yours. You cannot outsource accountability.
The structural problem nobody wants to talk about
The Delve case is shocking, but it didn't happen in a vacuum. It exploited weaknesses that are baked into how compliance attestation works today.
SOC 2 is a voluntary framework. There is no government regulator reviewing the auditor's work. There is no accreditation body with enforcement powers verifying that the CPA firm signing the report actually tested controls independently. The AICPA sets professional standards, but enforcement relies on self-policing and market reputation. When a platform like Delve controls the template, selects the auditor, and manages the entire evidence pipeline, the theoretical independence of the audit process collapses.
The investigation claims that every single Type II report in the dataset — covering 259 companies over individual three-month observation periods — reported zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents. Every one. The statistical improbability of that alone should have triggered questions. But the system isn't designed to ask those questions. Nobody upstream is checking.
Contrast this with the GDPR model, where supervisory authorities (Data Protection Authorities) have independent investigation and enforcement powers. Or with the EU AI Act's conformity assessment framework, which structurally separates assessment from commercial interest and requires notified bodies to be accredited, independent, and supervised. These models have their own problems, but they don't leave attestation entirely in the hands of the party being attested.
The uncomfortable truth is that SOC 2 compliance has become, for many startups, a sales enablement exercise rather than a security exercise. “We need SOC 2 to close the deal” is the starting point, and the system has evolved to service that demand as quickly and cheaply as possible. Delve simply took that logic to its endpoint.
What affected companies should do now
If your organization used Delve for any compliance framework, here is what you should be doing this week — not next quarter, this week.
- Get an independent assessment of your actual security posture. Not another SOC 2 engagement. A genuine technical review of your controls, your access management, your encryption practices, your incident response capability. You need to know what's real and what was only ever a template.
- Review your Business Associate Agreements. If you handle PHI and your BAA references compliance certifications that may have been fabricated, you need legal counsel now. Your counterparties may also have exposure, and they'll be asking questions.
- Audit your public-facing compliance claims. If you have a trust page, a security portal, or marketing materials that reference SOC 2 certification, HIPAA compliance, or GDPR conformity based on Delve's work, you need to either verify those claims independently or take them down. Making compliance assertions you cannot substantiate is itself a regulatory risk.
- Understand which frameworks actually apply to you. One of the underreported aspects of this story is that many startups pursue compliance certifications because a customer asked for them, without fully understanding the underlying legal obligations. SOC 2 is voluntary. HIPAA is not. GDPR is not. If you process health data of US citizens, you have obligations under federal law regardless of whether your SOC 2 report is real or fake. If you process personal data of EU residents, GDPR applies to you whether or not you've heard of a supervisory authority. Know what laws you're actually subject to, not just which logos look good on your website.
- Document everything you do from this point forward. If a regulator comes knocking — and given the scale of this, that's increasingly likely — your best defense is demonstrating that you identified the problem, took immediate corrective action, and implemented a genuine compliance program. Doing nothing after learning your compliance may have been fabricated turns a vendor problem into a willful neglect problem.
The bigger lesson
The Delve case will be discussed as a startup scandal, and it is one. But the more important takeaway is structural. Compliance automation is genuinely valuable — there is too much manual busywork in traditional compliance processes, and technology should reduce that burden. But automation that replaces the work without replacing the rigor is not compliance. It's theater.
For companies building in this space, and for companies buying compliance tools, the question going forward shouldn't be “how fast can we get compliant?” It should be “how do we know our compliance is real?”
That question deserves better answers than the industry has been providing.