My thoughts on Delve

Kid you not, I spoke with a close friend and advisor on Monday, who suggested I look into Delve and their services as a potential incumbent. Now this $32 million series A compliance company is at the center of a fraud investigation that has the RegTech sector dumbfounded.

Here are the alleged claims: Delve promised speed through AI, secure handling of user data, and legal confidence that your company would become SOC 2 compliant when you used them. Instead, according to an anonymous investigation posted on SubStack and reported by TechCrunch, users received template-heavy reports that were rubber-stamped by unverifiable audit firms. 494 reports with 99.8% identical language, including the same grammatical errors and found across hundreds of clients. The investigation also raises concern about the HIPAA work done by Delve, which could lead to federal enforcement if found to be true.

In the past few years of YC batches, amplified with the AI-craze, automation has been the name of the game. Founders are champing at the bit to find a corner of manual work that has been untouched by computer programs and language models, and set up camp figuring out how to turn a fax into a spreadsheet. This is the same camp that biogate is setting up, and its the same fortress that Delve had been building. However, there’s been a recurring pattern across the tech industry: companies promising full automation often end up burying manual work inside an automatic shell. We’ve seen the same tension bubbling with Waymo, when a Senate hearing revealed that roughly half of the company’s remote assistance operators are based in the Philippines. The vehicles remain in control of the driving, but the gap between what is marketed and the reality of operations is still prevalent.

Then there’s the spreadsheet leak. According to the whistleblower, Delve admitted in January to the leaking of hundreds of client audits and other sensitive information via a publicly accessible spreadsheet. The irony is difficult to ignore: a company with security at its forefront struggles to manage its own data hygiene. It’s a cautionary tale for any young founder in the regulatory sector. If a client can’t trust your own organization to be detailed and discrete with sensitive information, how can they trust your product?

— Evaristo at biogate