REPORTERS — I have externally verifiable evidence for all of the below. Reach out and I will share it with you.
DELVE CLIENTS — You do not have to take Delve’s offer for a “complimentary audit” from Ezzy & Associates. Ezzy never did a SOC 2 audit before Delve (see their peer review), and is promising to continue audits where Accorp left off. You can and should get a full refund instead as Ezzy has already been blacklisted by multiple enterprises before they even deliver their first audit report. Only accept Delve’s offer for a re-audit if it is through A-lign. I will elaborate on this in a follow-up article.
Delve has created a dedicated refund request form to make the refund process easy.
TL;DR: While Delve is telling HIPAA clients they can't have refunds because Delve "delivered value," the entire company is in Hawaii this week renting Lamborghinis at an offsite their investor asked them to cancel. Delve's own internal Notion admits they don't believe their controls cover HIPAA. A client call transcript, below, shows Delve staff coaching customers to enter fabricated board meetings into audit evidence.
Please share this article on X and LinkedIn.
Aloha everyone!
Took a while for another part to drop, but here we are.
Before we dive into anything specific, we have to set everything aside, because it is party time! At least it is at Delve HQ, which has temporarily moved to Hawaii for their annual offsite.
And it isn’t just any offsite; it is extra extravagant this time around.
They rented:
Lamborghinis
Porsche 911s
Escalades
Range Rovers
One G-Wagon
You read that right! While they are actively telling their clients that they are not getting a refund on HIPAA because Delve claims to have “delivered value,” they are actually driving million-dollar sports cars in Hawaii.
Seems like Delve’s founders “moved too fast” again!
Delve might have been kicked out of parted ways with YC, but the team at Delve has been told by Karun and Selin that Insight will come out with a public statement soon in support of Delve. Insight just needs to finish their internal review first.
Phew, it was looking scary for a moment, Heartwarming to see Insight is still on board. For a second we all thought Delve’s fraud, lies and deceit would not fly with their largest investor, but turns out it completely fits into the Insight operating model!
Insight Partners — The scammers’ choice.
Sadly, that love from Insight is not reciprocated though…
Delve’s Hawaii offsite is taking place at the very moment this article is published. The entire Delve team flew to Hawaii on April 15 and will stay there through April 19.
Why haven’t you heard of this offsite? Well, that is because Delve’s official position is that it was cancelled and that Delve employees are travelling individually. They just all happen to travel individually and indepedently to the very same resort.
They don’t want you to know this though, because they don’t want their investor to know. Insight Partners tried to stop Delve from doing this offsite, but Delve apparently didn’t care enough to listen.
My whistleblower contact at Delve told me that Delve is making a lot of effort to make sure you, and thereby their investors don’t hear about it.
Delve has set a number of strict rules to avoid being caught:
No posting on social media
Only move around in small groups
Stay away from popular locations
Pretend like you don’t know each other when you have to go through popular locations
Not telling any of their friends or customers about this offsite
Change timezone manually on Slack
Wear sunglasses and hats in public
This is not a joke.
If you are in Hawaii and you see a number of small groups acting shady with sunglasses and caps near a Lambo, that’s Delve.
Quite a few people have approached me to vent share their experience with Delve.
Just two weeks ago Delve was actively granting all refund requests. The past week that has not been the case anymore.
They have gotten so cheeky as to claim the reputational damage Delve has suffered is no cause for breach of contract.
From what I understand, those that are still succesful in getting their money back do two things:
Tell them they are in breach of their contract as a result of multiple leaks and breaches that occurred at Delve recently
Threaten Delve with legal action
One category that stands out is HIPAA. Delve claims that they are unable to refund HIPAA because it does not require an outside audit, but only a platform to provide structure, which is exactly what Delve provided. So Delve’s stance is that they provided value, and Delve’s customers got that value.
What makes that statement particularly interesting is that Delve was fully aware that their clients did not, and still do not, meet HIPAA requirements. As I highlighted in my previous articles, that statement applies to SOC 2 and ISO 27001 as well.
It was Amber Scapellato who was working on improving all those frameworks up until she left Delve when my first articles came out.
We also don’t have confidence that these sufficiently cover all requirements particularly for HIPAA.
— Delve’s internal Notion
I wrote this before, but Delve’s founders just keep trying to lie their way out of it as if legal Discovery that is about to take place won’t reveal the exact same documents and information I revealed in my previous articles and that I am revealing here. Unless they delete all of it though, which would be visible through logs and which would constitute obstruction of justice.
There is a particular page on Delve’s internal Notion that is a little over a year old that highlights Delve is not confident that all HIPAA requirements are covered. That document was created at a time when Delve was already serving all of the below frameworks to customers and claiming full coverage. Their coverage has changed slightly since, but is still not complete.
Her is the exact fragment that is relevant.
Breaking down each question
→ Are we enforcing the proper compliance requirements on our companies such that we satisfy what the regulations are looking for?
→ Vision: we have battle-tested controls/evidence design that works across the board for standard Series A/B/C companies while also flexing to pre-seed/seed. These controls sufficiently map to and meet all SOC 2, HIPAA, etc. regulatory requirements.
→ Current: we have okay controls/evidence designs that are pretty standard. Some controls have repeated customer pushback. We also don’t have confidence that these sufficiently cover all requirements particularly for HIPAA.
→ Delta: we need to modify the design of some controls to better adapt the controls to our ICP while minimizing pushback from distracting ICPs. We also need to undergo a HIPAA attestation and SOC 2 audit ourselves to verify that our controls have good coverage on regulations.
The entire page is added as an appendix at the end of this article.
Karun Kaushik and Selin Kocalar recently put out a response to my previous article. In case you haven’t seen it, you can find it here:
They claim to set the record straight, but end up doing the opposite.
They claim no wrongdoing, but have made changes to their entire process. They claim the evidence is fake, yet it was all exfiltrated from their systems.
I will write more about this in a follow-up article, but I do want to highlight two things about this statement and the other ones they put out before:
They try to rebut the claims from my article by stating they have never signed or issued an audit report
Technically this is true. They generated the report that was ready to sign, and just got an Indian cert mill to stamp it. When you pay an outside party to stamp it, YOU didn’t issue it. But you sure as hell enabled the fraud, and are sure as hell complicit.
They claim to have never faked evidence
For this one I’m going to pull out a client call (don’t worry, I have many more).
Date: May 5, 2025
Duration: 2:05
People: Sergey Sundukovskiy, Karun Kaushik
Um, so this meeting, doesn’t exist, it’s fake. Nobody had this meeting. The list of attendees here are not board members. So it’s just some fake stuff, right. So I asked Jenny why did she put it in here. She said Ross told me it was okay. So she talked to Ross and he’s like “okay, well you can put it in,” but this is not real. This doesn’t represent reality. So, she doesn’t know any better, he tells her “you can go ahead and do that.”
[0:00] Sergey Sundukovskiy: Another issue is, when we got delve, the premise behind getting Delve, not as a tool but as a company was “hey, we’re bringing the tool and we’re bringing the expertise.” Now I can unequivocally say that having Ross has been net negative. Not only it didn’t have value, it took away value. And I can tell you why. So for instance, you know, there’s a board meeting form. There’s a couple of things in here.
[0:40] Sergey Sundukovskiy: One, it captures a non-existent meeting. Um, so this meeting, doesn’t exist, it’s fake. Nobody had this meeting. The list of attendees here are not board members.
[0:55] Sergey Sundukovskiy: So it’s just some some fake stuff, right. So I asked Jenny why did she put it in here. She said Ross told me it was okay. So she talked to Ross and he’s like “okay, well you can put it in,” but this is not real. This doesn’t represent reality. So, she doesn’t know any better, he tells her “you can go ahead and do that.” And she puts it in. So that’s a that’s a big no-no, right?
[1:30] Sergey Sundukovskiy: So he’s he needs to act in consultative capacity, not just how to work with the tool, but also what needs to happen in order for this to be real, and not just one time pass the audit. Well, this wouldn’t pass an audit. Because again, like I said, it’s fake. The meeting didn’t occur, the people in here are not board members. Who knows what else, right? But just to satisfy the check mark, she just did it because Ross told her it was okay.
Don’t forget that I still haven’t dropped that bomb yet!
Source: Delve’s Notion workspace, page titled ‘Compliance’
Dec 1, 2024
Overview
Getting compliant is like taking a test. First you need to do the preparation and then you need to take the actual exam.
While supporting companies across the entire journey, here’s what’s important:
→ Are we enforcing the proper compliance requirements on our companies such that we satisfy what the regulations are looking for?
→ Are we making sure that companies have the different compliance requirements (controls) we’ve outlined in place and that they sufficiently meet them?
→ Are we properly gathering data (evidence) to prove that companies meet the different compliance requirements we’ve outlined (controls)?
→ Are we properly displaying this data (evidence) to auditors?
→ Are we facilitating communication between auditors and companies so that auditors can review the evidence?
→ Do we have the right infrastructure in place to do the things to support auditors throughout this entire process?
Breaking down each question
→ Are we enforcing the proper compliance requirements on our companies such that we satisfy what the regulations are looking for?
→ Vision: we have battle-tested controls/evidence design that works across the board for standard Series A/B/C companies while also flexing to pre-seed/seed. These controls sufficiently map to and meet all SOC 2, HIPAA, etc. regulatory requirements.
→ Current: we have okay controls/evidence designs that are pretty standard. Some controls have repeated customer pushback. We also don’t have confidence that these sufficiently cover all requirements particularly for HIPAA.
→ Delta: we need to modify the design of some controls to better adapt the controls to our ICP while minimizing pushback from distracting ICPs. We also need to undergo a HIPAA attestation and SOC 2 audit ourselves to verify that our controls have good coverage on regulations.
@Selin Kocalar we could also think about a dynamic control system that lets you have “levels” of pre-defined or smth like this. Could be interesting. Or o1 goes through and sets a control set based on input from users on their setup.
→ Are we making sure that companies have the different compliance requirements (controls) we’ve outlined in place and that they sufficiently meet them?
→ Vision: we have an AI automated platform to clearly outline the compliance requirements and make it super easy for companies to comply
→ Current: we have a platform with some AI. It has most controls, but for some controls either doesn’t tell companies to implement them at all or we have to take manual screenshots individually from companies.
→ Delta: we need to modify some controls that are difficult to implement from the audits we’ve conducted thus far. we need to add the missing controls to the platform, including implied controls that we don’t strictly enforce but just gather as additional screenshots at the start of an audit. We also need to improve our policies to take care of any typos or areas where customers have had repeated pushback.
→ Are we properly gathering data (evidence) to prove that companies meet the different compliance requirements we’ve outlined (controls)?
→ Vision: we pull all necessary evidence to help companies demonstrate evidence for requirements out of the box without having to do double the work on Delve. for all remaining evidence requests, we have an intuitive workflow for doing so/implementing. We give companies peace of mind that they meet all controls, this is worded well into the policies, and they know which of their usual activities meets which compliance requirement.
→ Current: We have some automation but otherwise require companies to manually demonstrate evidence for all of the requirements. Our platform tries to do too much and takes too much manual time for larger companies because they do a lot of repeat work when only, for example, 3 evidence samples are required for a control, but they’ve spent time uploading 50 samples for the entire team. The UI is pretty intuitive and basic, but can be improved to better walk companies thru the other compliance requirements.
→ Delta: we need to have a checklist to ensure that companies know the bare minimum of to-dos on the team and tech tabs. We should add upload to override where possible and more clearly walk companies thru the steps of implementing other compliance requirements. We need to provide companies with an auditor view toggle that shows them the internal dashboard outlining every control and the evidence they have to satisfy it. We also need to show how each line in the policies is derived from a part of the Delve platform and make the policies intuitive to how they meet the different compliance requirements, although this is lower priority.
→ Are we properly displaying this data (evidence) to auditors?
→ Vision: we have a UI that is defined by controls and has respective evidence for each. This evidence can be easily exported. For Type II audits, we collect notes from companies so that they can verify that they are ready to start the Type II audit and so that they can answer the same standard quesitosn that auditors ask every time.
→ Current: we have a UI organized by evidence requests and the auditors create a lot of back and forth when arguing certain controls aren’t covered when we’ve already provided evidence for it. They spend a lot of manual time downloading evidences, udnerstanding them, not realizing which controls they satisfy, etc.
→ Delta: we need to redesign the auditor dashboard to be by control. Evidence needs to be properly structured for every control and sufficiently match the test procedures. All of this needs to be easily be able to be mass exported. For Type II audits, we need to create a form for companies to fill out so that they can verify that they are ready to start the Type II audit and so that they can answer the same standard questions that auditors ask every time.
→ Are we facilitating communication between auditors and companies so that auditors can review the evidence?
→ Vision: we have no back and forth or questions from auditors. In the rare case that a question comes up, the users should receive a notification on their auditor dashboard so that they can resolve it without our help.
→ Current: we handle all of this communication ourselves via Whatsapp. Every audit requires 3-4 additional hours from our end asking the companies for evidence, sending over incorporation letters, filling out Ashwini’s list of control questions CSV, etc. As a result, we fall behind on our audit timelines and a lot of audits get delayed.
→ Delta: we need to add a messaging section to the Auditor dashboard and have automated email reminders to team members if anything ever comes up.
→ Are we keeping companies informed about their ongoing compliance obligations and reminding them of upcoming audits?
→ Vision: going back to the entirely AI automated platform, we have a streamlined platform that notifies users of changes that will require attention to the Delve platform. We also tell them when we auotpull information and help them address as many SOC 2 requirements as possible. We focus on making them feel good about how much we auto-address for them, not for all the pending to-dos they have to do. We send email reminders to also inform users of when their upcoming audit is/when it ends/if there’s any pending to-dos/etc.
→ Current: we manage all of the audit deadlines manually on Pylon and will need to manually check next year when they’re due for their next audit. We also send manual Slack messages to tell customers what they should be doing during their audit period/once they’ve completed their audit.
→ Delta: we need to move Pylon data internally and have automated reminder emails to inform companies that their audit is coming up/they have pending to-dos/etc. We should have “info” icons for the current company status telling companies what they’re supposed to be doing if they’re in the audit period/gettign ready for audits/etc. These need to be nicely designed emails that focus more on how much we did for teh company. Also teh emails cannot be overwhelming (i.e. if reducing the frequency of ITLC meetings from weekly will make customers happier then we should do it).
→ Do we have the right infrastructure in place to do the things to support auditors throughout this entire proces?
→ Vision: 510 forms and system descriptions are autogenerated from information we request from companies during the audit process. The draft and official reports are sending via email from Delve with nice branded emails.
→ Current: we manually write up the 510 forms, system descriptions, and send over company info for the engagement letters to be issued. The auditors manually send emails w the draft report and the official report, as well as for the ELs and management letters, which we care less about.
→ Delta: we need to autofill the 510 forms and system descriptions from information provided by the company. More important, we need to upload these onto the platform so taht they can be managed there instead of separate google docs. Low priority, but the draft and official reports are sending via email from Delve with nice branded emails.