Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  /

  / The Delve Compliance Leak: What It Means for SOC 2 Certification

The Delve Compliance Leak: What It Means for SOC 2 Certification

Picture of Pedro Dias
Copy Link

In March 2026, an anonymous whistleblower published what may be the most detailed exposé of compliance fraud the technology industry has ever seen. The target: Delve, a Y Combinator-backed startup valued at $300 million that promised to get companies SOC 2 certified in days using AI. The allegation: that Delve had been fabricating audit evidence, generating auditor conclusions before any auditor reviewed client data, and getting unaccredited Indian certification mills to rubber-stamp the results.

If you work in tech and care about security compliance, or if you were a Delve customer, this story matters to you.

What Actually Happened

Delve was founded in 2023 by MIT dropouts Karun Kaushik and Selin Kocalar. The pitch was compelling: use “agentic AI” to compress months of painful compliance work into a few days. By mid-2025, the company had raised $32 million in Series A funding, claimed over 1,000 customers in 50 countries, and had become one of the most talked-about names in the compliance automation space.

Then, in December 2025, an email went out to hundreds of Delve clients. It alleged that Delve had leaked a publicly accessible Google spreadsheet containing hundreds of confidential audit reports, and that those reports were fraudulent. Delve’s CEO dismissed it as “an AI-generated email with falsified claims.”

That denial turned out to be harder to sustain than expected.

In March 2026, the anonymous account Deepdelver published a detailed technical analysis of the leaked database. The findings were striking. Across 533 leaked reports covering 455 companies, the same auditor conclusion language appeared word for word, including an identical grammatical error. Auditor conclusions and test results had been generated before any client even provided their company information. The auditors signing off were not the US-based CPA firms Delve had advertised, but Indian certification mills operating through empty shell addresses.

Inc. Magazine covered the initial story in detail. Read the full article here.

Claim your free review

Free Migration For Companies Affected by Delve

Axipro is currently offering Delve-affected companies a free 30-minute compliance review plus complimentary migration to Vanta or Drata. Our certified compliance experts will tell you exactly which situation you are in, identify any real gaps, and guide your migration so your next audit is clean.

Schedule

Will Affected Companies Lose Their SOC 2 Certification?

The short answer is no, not automatically.

SOC 2 reports are issued by independent CPA firms, not by compliance platforms. Delve was the evidence collection and preparation tool. The auditor signed off separately. There is no central SOC 2 registry, no revocation authority, and no body that automatically invalidates a certificate because the platform used to prepare it has been accused of fraud.

The certificate exists. It is technically still valid.

But a certificate is only as credible as the evidence behind it. If the controls it claims were in place were never actually implemented, if the board meeting minutes were identical boilerplate, if the penetration test never happened, if the device security screenshots were one-off manual uploads rather than evidence of continuous monitoring, the certificate is not a record of real compliance. It is a document waiting to be challenged.

The moment a Delve client goes to renew with a reputable auditor, that auditor will look at the evidence. They will find gaps. That renewal failure is when the certificate effectively collapses, and it almost always happens at the worst possible time. Review our SOC 2 compliance checklist to understand exactly what a legitimate audit requires.

The Three Situations Every Delve Client Is In Right Now

Not every Delve client faces the same risk. Understanding which situation you are actually in is the most important thing you can do right now.

Situation 1: Your controls are real, just poorly documented. Your underlying security practices are solid. Delve’s platform generated sloppy evidence around them, but the controls themselves exist. A gap assessment, a cleanup, and a fresh audit with a reputable firm is all you need. Manageable.

Situation 2: You have gaps between what your certificate claims and what exists. Some controls were implemented, some were not. The Delve platform made it very easy to click through pre-populated forms and never notice the difference. These gaps are fixable — but only if you find them before your next renewal, your next enterprise customer review, or your next M&A process does. For a deeper understanding of what a proper gap analysis involves, see our detailed guide to gap analysis.

Situation 3: Significant controls were never implemented. This creates real commercial, contractual, and in some cases legal exposure. It is particularly serious for companies that handle health data under HIPAA or process EU resident data under GDPR, and for any company that has won government or federal contracts on the basis of these certifications.

All three situations look identical from the outside right now. Your certificate exists. Your trust page is live. Nothing has visibly broken. The only way to know which situation you are in is to actually look

The Consequences Nobody Is Fully Reporting

Most coverage of this story has focused on Delve itself. The more important story is what happens to Delve’s clients over the next 12 months.

The enterprise customer risk. Delve’s questionnaire AI was answering vendor security questionnaires on behalf of clients, claiming controls, MDM systems, penetration tests, backup restoration simulations, that the platform demonstrably never verified. Delve clients were making specific false representations to their own enterprise customers during procurement. If any of those customers later suffers a breach and traces it back to a vendor that misrepresented its security posture, the liability chain is clear. This is one of the common pitfalls in SOC 2 that organisations rarely anticipate until it is too late.

The HIPAA exposure is more serious than reported. The Deepdelver report identifies multiple Delve clients that process protected health information for millions of US citizens. Under HIPAA, penalties for compliance violations escalate from fines to criminal charges depending on whether the violation was knowing or unknowing. The critical legal threshold here is December 2025. Companies that received the breach notification email and took no meaningful action after that point have a documented timestamp of when they were put on notice. The distinction between unknowing and knowing violation may hinge on that date.

GDPR creates cross-border exposure. Under Article 83 of the GDPR, fines can reach 4% of global annual revenue or €20 million — whichever is higher. GDPR applies to any company processing data of EU residents, regardless of where the company is incorporated. Delve claimed clients in 50+ countries. Many of those clients will have EU exposure they are currently unaware of.

The M&A trap. Compliance certifications are material facts in acquisition due diligence. If a Delve client is acquired or raises a significant funding round, any investor’s legal team doing thorough due diligence will examine the audit evidence behind the SOC 2 certificate. That examination will find the gaps.

Why Switching to Vanta or Drata Alone Will Not Fix This

The instinct for most Delve clients right now is to migrate to Vanta or Drata as quickly as possible. Both are legitimate, well-regarded platforms. Drata is trusted by names like Wispr Flow, which publicly announced its migration after the scandal broke. But software collects and organises evidence. It does not verify that the controls behind that evidence actually exist.

What compliance requires Software platform alone Human expert oversight
Verify controls are implemented Relies on self-reporting Independent assessment of real operations
Catch gaps between policy and practice Cannot detect undeclared gaps Structured gap assessment against actual systems
Continuous monitoring evidence Tracks what you connect Verifies what is worth connecting
Defensible audit documentation Template-generated Expert-reviewed and evidence-backed
Accountability if gaps are found Platform disclaims liability Consultant stands behind the work

If your controls were not real under Delve, they will not become real because you are now tracking them in a different dashboard. Switching platforms without a gap assessment first is repainting a house with a cracked foundation. It looks better. The problem is still there. That said, migrating to the right platform, with the right guidance, is absolutely the correct long-term move. Click here to see how Axipro and Drata make SOC 2 happen in weeks, not months.

What the Right Remediation Actually Looks Like

For most companies, this is a solvable problem. Start by pulling your existing Delve audit reports and reviewing them against your actual systems. Compare what the reports claim, on MDM, penetration testing, board meetings, backup simulations, against what you can actually evidence today. Next, commission an independent gap assessment with a certified compliance expert. This is the step most companies skip when they are in a hurry to move on. It is also the step that determines whether you remediate on your own terms or get caught out by an auditor, a customer, or a regulator. Once you understand your real compliance posture, choose your new platform with clear eyes. Getting guidance before committing to a new annual contract is worth the time, see our comparison of Vanta vs Drata to understand which platform suits your organisation’s needs. If you have ongoing customer relationships where your Delve certification was a material factor, consider proactive communication. Getting ahead of potential questions is almost always better than fielding them reactively.

Claim your free review

Free Migration For Companies Affected by Delve

Axipro is currently offering Delve-affected companies a free 30-minute compliance review plus complimentary migration to Vanta or Drata. Our certified compliance experts will tell you exactly which situation you are in, identify any real gaps, and guide your migration so your next audit is clean.

Schedule

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs

Kertos and Axipro Partner to Streamline Compliance for European Companies

Axipro, the cybersecurity and compliance consulting firm, and Kertos, the European compliance automation platform, and  have entered a strategic partnership that combines software automation with hands-on implementation support for organisations navigating Europe’s expanding regulatory regime. The agreement, effective April 1, 2026, names Axipro as an implementation partner for Kertos. Customers can now buy the Kertos platform through Axipro alongside consulting, implementation support, and broader compliance service packages spanning frameworks including GDPR, NIS2, DORA, the EU AI Act, ISO 27001, and SOC 2. The partnership lands as European companies face mounting regulatory pressure. The NIS2 Directive pulled around 28,700 additional companies into scope when it replaced its predecessor in October 2024. DORA became fully applicable in January 2025, binding around 22,000 EU financial entities to a single ICT risk management framework with penalties of up to 2% of global turnover. The EU AI Act adds another layer, with compliance costs for SMEs running between €50,000 and €500,000 per organisation depending on use case. What the partnership delivers Under the agreement, Axipro sells, implements, and operates Kertos for customers as part of integrated service packages. The same partner that scopes the gap assessment, defines the control framework, and runs the implementation also configures and operates the platform that holds the evidence. Engagements no longer hand off between separate vendors. For Kertos, the deal gives the platform deeper exposure to how compliance programmes run inside operating businesses, feeding back into product development. For Axipro, which already supports companies across more than 20 frameworks with services spanning penetration testing, internal audit, and end-to-end certification support, Kertos extends its offering with continuous evidence collection, control management, vendor management, and automated audit preparation. “Our ambition at Kertos is to build the leading compliance automation platform in the market, one that doesn’t just simplify compliance but fundamentally redefines how companies achieve and maintain it,” said Dr. Kilian Schmidt, CEO of Kertos. “Strategic partnerships like the one with Axipro are a key part of that journey. By working closely with experienced compliance experts, we gain invaluable real-world insights that directly shape and accelerate our product development.” Free migration to Kertos through Axipro As part of the partnership, Axipro is offering free migration to Kertos for companies currently using another compliance or GRC platform. The migration covers transferring existing controls, evidence, policies, and vendor records into Kertos, with Axipro consultants handling the rebuild of framework mappings for ISO 27001, SOC 2, GDPR, NIS2, and other applicable standards. The aim is to remove the cost and disruption that typically deters companies from switching platforms mid-program, even when their existing tooling no longer fits their regulatory scope.   DACH region as the starting point Germany consistently leads European GRC adoption and accounts for the largest share of the region’s GRC platform market. It is also where regulatory pressure is sharpest right now, with the Federal Office for Information Security actively building out supervisory capacity ahead of the April 2026 NIS2 registration deadline for essential and important entities. “Compliance is only as strong as the tools and partners behind it,” said Ali Hayat, CEO of Axipro. “Our partnership with Kertos gives our clients in the DACH region access to a powerful data privacy and compliance platform, backed by Axipro’s hands-on expertise. Together, we make achieving and maintaining compliance seamless, faster, and more predictable for the businesses that need it most.” Both companies framed the agreement as a foundation for deeper collaboration as customer needs and regulatory requirements continue to evolve. About Axipro Axipro is a cybersecurity and compliance consulting firm helping high-growth companies achieve and maintain regulatory certifications across more than 20 frameworks including SOC 2, ISO 27001, GDPR, and NIST. Services span penetration testing, internal audit, and end-to-end support for companies pursuing first-time certification or maintaining existing ones. Axipro has offices in the UK, the USA, and Bahrain. About Kertos Kertos is a compliance automation platform that helps companies operating in Europe meet and maintain compliance requirements for frameworks including ISO 27001, SOC 2, GDPR, and NIS2. By automating evidence collection, control management, vendor management, and audit preparation, Kertos enables organisations to build and maintain robust information security and data protection programmes without the manual overhead of traditional approaches. Read the full press release here

Read more

ISO 14001:2015 vs ISO 14001:2026: Key Differences and What’s Changed

ISO 14001:2026 was published on 15 April 2026. Over 600,000 organizations in more than 180 countries are currently certified to the previous edition, and all of them have until approximately May 2029 to transition. The revision is not a rebuild, but it is not cosmetic either. It sharpens several requirements that were inconsistently applied under the 2015 standard, introduces a formally new clause on change management, and embeds climate change, biodiversity, and lifecycle thinking more directly into the Environmental Management System (EMS) framework. This article explains what has changed, what has not, and what certified organizations need to do next. What Is ISO 14001 and Why Is It Being Updated? A Brief Overview of ISO 14001 ISO 14001 is the internationally recognized standard for Environmental Management Systems (EMS). Published by the International Organization for Standardization (ISO), it gives organizations a structured framework for managing environmental impacts, meeting legal obligations, and pursuing continual improvement in environmental performance. The standard applies to organizations of any size, in any sector, anywhere in the world, and more than one million sites globally are currently certified against it. Its value lies not in prescribing specific environmental outcomes, but in building the management system infrastructure that makes consistent, improving performance possible. Whether an organization is a manufacturer managing chemical discharge or a logistics provider tracking fuel consumption, ISO 14001 provides the same underlying framework for setting objectives, measuring performance, and driving improvement. Why ISO 14001:2015 Is Being Revised The 2015 version replaced ISO 14001:2004 and introduced several significant advances: risk-based thinking, a stronger link to organizational strategy, and the Harmonized Structure that aligned ISO 14001 with ISO 9001 and ISO 45001. It was a substantial step forward. But the environment it was designed for has changed. Climate change is now a core business risk, not a future projection. Biodiversity loss is accelerating. ESG reporting obligations have multiplied. Investors and regulators expect documented evidence of environmental performance, not just policy statements. The 2015 edition left too much room for organizations to treat climate and biodiversity as optional considerations within context analysis. The 2026 revision corrects that deliberately.   ISO 14001:2015 vs ISO 14001:2026: Overview of Key Differences What Has Changed and What Has Stayed the Same The core architecture of ISO 14001 is unchanged. The standard still follows the Plan-Do-Check-Act (PDCA) cycle and retains the Harmonized Structure it shares with ISO 9001, ISO 45001, ISO 50001, and other major management system standards. The ten-clause framework remains intact. What has changed is the specificity and accountability required within that framework. Environmental conditions must now be explicitly identified and named in context analysis. Change management is now a formal, auditable requirement rather than an implied expectation. Supply chain thinking is more directly embedded into operational controls. Internal audits must now have defined objectives, not just scope and criteria. The table below summarizes the most significant differences between the two editions. Area ISO 14001:2015 ISO 14001:2026 Climate change Not explicitly required (added via 2024 amendment) Formally integrated; required across multiple clauses Biodiversity Implied; not named Explicitly required in context analysis Change management No standalone clause New standalone Clause 6.3 Risks and opportunities Within Clause 6.1 New standalone Clause 6.1.4 Supply chain scope “Outsourced processes” “Externally provided processes, products and services” Internal audit Defined scope and criteria Defined scope, criteria, and objectives Clause 10.1 Standalone continual improvement clause Integrated into Clauses 10.2 and 10.3 What the ISO 14001:2026 Revision Is, and Is Not ISO 14001:2026 is not a new standard. It does not introduce a fundamentally different approach to environmental management. Organizations with a mature, well-run ISO 14001:2015 EMS will not be starting from scratch. What the revision is: a targeted update that addresses gaps and ambiguities that accumulated since 2015. It makes previously optional considerations mandatory, adds structural clarity where the 2015 edition was ambiguous, and aligns the standard more closely with how environmental management intersects with modern business risk, ESG reporting, and supply chain accountability. Organizations that applied the 2015 standard in a minimal or box-ticking way will face more substantial transition work. Organizations that ran a genuine, actively managed EMS will find most of what is required already in place, with focused updates needed in a handful of areas. Clause-by-Clause Comparison: ISO 14001:2015 vs ISO 14001:2026 Clause 4: Context of the Organization In ISO 14001:2015, Clause 4.1 required organizations to identify external and internal issues relevant to their EMS. Climate change was a possible consideration, but not a named one. The 2026 revision changes this directly. ISO 14001:2026 now explicitly names four categories of environmental condition that must be assessed when determining organizational context: climate change, pollution levels, biodiversity and ecosystem health, and the availability of natural resources. These are not suggestions, they place these issues squarely on the required agenda for every certified organization. The practical implication is significant. An organization that previously mapped its context by tracking energy use and waste generation now needs to demonstrate how it has assessed whether biodiversity loss, water scarcity, or local pollution levels are material to its operating environment. If they are, those factors must flow into objectives, risk registers, and operational controls. Clause 4.3, which covers the scope of the EMS, has also been strengthened. Organizations are now expected to define their scope with explicit reference to their authority and ability to exercise control and influence across the full life cycle of their activities, products, and services. The EMS boundary is no longer limited to the physical boundary of the facility. Clause 5: Leadership Top management responsibilities are expanded in the 2026 edition. The 2015 version focused on management roles. The 2026 revision makes clear that leadership must support environmental performance across all relevant functions, including non-management roles. The environmental policy itself has been updated. ISO 14001:2026 expects the policy to include commitment to conserving natural resources and protecting ecosystems, alongside the existing commitments to pollution prevention and continual improvement. This clause often receives less attention during gap analyses than the more structural changes in Clause 6. But

Read more

Abeera Zainab Steps Up as GRC Lead at Axipro

When Abeera Zainab joined Axipro in early 2024, she quickly became more than just part of the delivery team—she became a driving force behind how compliance engagements are executed across the firm.Over the past few years, her role has naturally expanded. What began as hands-on involvement in compliance delivery has evolved into leading complex, multi-framework programs across diverse client environments. Today, Abeera operates at the centre of Axipro’s GRC function—overseeing engagements that span ISO 27001, ISO 27701, SOC 2, PCI DSS, GDPR, HIPAA, ISO 42001, and DORA, often managing multiple frameworks simultaneously within a single scope.   Her strength lies not just in understanding these standards, but in making them work together—bringing structure to complexity and helping organisations move toward audit readiness without unnecessary friction. This approach has translated into tangible results. Abeera has played a key role in maintaining Axipro’s 100% audit success rate across 40+ certified clients, with no failed audits to date, while consistently delivering a high level of client satisfaction.But what clients often highlight most isn’t just the outcome—it’s the experience of working with her. Even in high-pressure situations—tight timelines, evolving scopes, or complex stakeholder environments—Abeera is known for her calm, structured, and transparent approach. She brings clarity where there is uncertainty, keeps engagements on track, and ensures that teams remain aligned from kickoff through to certification.   Her technical depth supports this delivery. Abeera holds the ISO/IEC 27001:2022 Lead Auditor certification (CQI/IRCA), the ISO/IEC 42001:2023 Lead Auditor certification, and the Drata Fundamentals Certification. Combined with over 3+ years of hands-on GRC experience, she brings both credibility and practical insight to every engagement. As GRC Lead, her focus extends beyond individual projects. She takes ownership of delivery quality, contributes to the evolution of Axipro’s advisory methodology, and actively supports the development of the wider team. Her role sits at the intersection of execution and strategy—ensuring that every engagement not only meets compliance requirements but also strengthens the client’s overall security and governance posture. At her core, Abeera’s work is about more than passing audits. It’s about building confidence—within client organisations, within delivery teams, and within the systems that support them.And that’s what makes her a trusted advisor in an increasingly complex compliance landscape.

Read more