HN
Today

Delve – Fake Compliance as a Service

Delve, a 'compliance-as-a-service' startup, is embroiled in scandal over allegations of providing fake SOC 2 certifications and shoddy audit reports. This story ignited a firestorm on HN, revealing systemic issues within the compliance industry and sparking a meta-discussion about content moderation. It underscores persistent concerns about 'security theatre' and the integrity of startups backed by prominent investors.

175
Score
64
Comments
#9
Highest Rank
3h
on Front Page
First Seen
Mar 20, 5:00 PM
Last Seen
Mar 20, 7:00 PM
Rank Over Time
1799

The Lowdown

Delve, a compliance-as-a-service company, is facing severe allegations of widespread fraud, accused of providing illegitimate SOC 2 compliance reports. The original Substack article, though inaccessible from the provided link, ignited a heated discussion on Hacker News about the integrity of compliance services and the broader tech ecosystem.

  • Fraudulent Practices: Delve allegedly provided pre-filled, templated compliance documents that clients were encouraged to accept without customization, leading to non-representative policies and reports. They were known for offering "cheap and quick" SOC 2 certifications, often marketed as "SOC 2 in days," raising red flags among industry veterans.
  • Poor Quality Reports: Allegations included poorly faked reports containing nonsensical assertions and clear form submissions, suggesting a deliberate lack of due diligence from both Delve and their auditors. There were even claims of generating fake board meeting minutes.
  • Data Breach: The scandal also involves a significant data breach where hundreds of client audit reports and other confidential information were leaked via a publicly accessible Google spreadsheet.
  • Associated Scams: The controversy extended to other companies, Cluely and HockeyStack, which are accused of various scams, including AI wrapper services, misleading contests, and questionable labor practices.

This scandal has prompted a broader re-evaluation of the compliance industry, exposing a perception of "security theatre" where certifications are sought for optics rather than actual security posture, and raising pointed questions about investor due diligence and the ethical standards within the startup world.

The Gossip

Compliance Conundrums

Commenters widely debated the true value of compliance, with many arguing that it often amounts to 'security theatre'—a performative exercise designed to satisfy regulators or customers rather than genuinely enhance security. The discussion highlighted that companies often seek compliance merely to shift responsibility, leading to superficial efforts that lack real impact. Some noted that while SOC 2 can provide a useful blueprint, its practical application frequently falls short due to a focus on checking boxes over actual security posture.

Delve's Deception Details

Many comments detailed specific allegations against Delve, focusing on its allegedly fraudulent practices. Users pointed to the company's provision of pre-filled, templated compliance documents, which were often rubber-stamped without actual policy reflection. The shoddy quality of audit reports, containing nonsensical phrases and unedited form submissions, was highlighted as evidence of deliberate negligence. Accusations also included Delve facilitating fake board meeting minutes and operating under a 'cheap and quick' model that compromised integrity. The revelation of a major data leak via a public Google spreadsheet further fueled outrage.

HN's Hidden Hand

A significant portion of the discussion revolved around the story's initial suppression on Hacker News. Users speculated that the article was intentionally kept off the front page due to its critical nature towards a YC-backed company. HN moderator 'dang' clarified that the story was initially penalized by an automated voting ring detector, not by human moderation. Once the issue was identified, the penalty was rolled back, and the story was placed on the front page, in line with HN's policy of moderating YC-related news *less*, not more.

Systemic Scrutiny

The Delve scandal prompted broader criticism of the startup ecosystem, investor due diligence, and the culture of 'grifting.' Commenters questioned how companies like Delve, and its alleged affiliates such as Cluely and HockeyStack (accused of their own scams), could secure significant funding without adequate vetting. The 'Forbes 30u30 pipeline' was cited as a path for some founders to succeed despite questionable ethics. This raised concerns about a perceived decline in YC's values and a general lack of accountability in the venture capital market.