Troubled startup Delve splits from Y Combinator

The mounting controversy surrounding Delve appears to have led to a significant development, as the compliance-focused startup is no longer associated with Y Combinator.

Delve has been removed from Y Combinator’s official directory of portfolio companies, and its dedicated page on the accelerator’s website is no longer accessible. Confirming the split, Delve’s COO Selin Kocalar shared in a post on X that “YC and Delve have parted ways.”

Reflecting on the company’s earlier days, Kocalar noted, “I still remember the day we took our YC interview at MIT,” adding that the team remains thankful for the community and relationships built through the accelerator.

Y Combinator is not the only backer distancing itself from the startup. Insight Partners also appeared to remove references to its investment in Delve, though its primary blog post about the funding was later reinstated.

At the same time, Delve continues to respond to a series of anonymous allegations that the company misled customers about its compliance with privacy and security standards. According to these accusations, Delve allegedly bypassed key requirements while generating reports for certification processes that were described as “rubber-stamped.”

The claims originated from an anonymous Substack account operating under the name “DeepDelver,” which presented itself as a former Delve customer. The individual stated that concerns arose after receiving leaked information tied to the startup’s client base.

Follow-up posts from DeepDelver included what were described as internal Slack messages and video materials, along with further allegations that Delve had used an open-source tool without properly crediting the original developer or forming an agreement. Separately, a security researcher claimed to have accessed sensitive internal data belonging to the company.

The situation became more complex when Delve was indirectly linked to another incident involving malware found in an open-source project connected to LiteLLM, a company listed as one of Delve’s customers.

In response, Delve’s leadership has publicly addressed the allegations. In a recent blog post, COO Selin Kocalar and CEO Karun Kaushik stated that they intend to “set the record straight on anonymous attacks.” They revealed that the company has engaged a cybersecurity firm to investigate the situation and suggested that the available evidence indicates a malicious breach rather than whistleblowing.

According to their statement, “It appears that an attacker purchased Delve under pretences, maliciously exfiltrated data, including Delve’s internal company data, and used it to launch a coordinated smear campaign against us.” The company also shared a screenshot it claims shows the alleged attacker extracting an internal audit-tracking spreadsheet via file-sharing tools.

Delve further dismissed the accusations made by DeepDelver, describing them as “a mix of fabricated claims, cherry-picked screenshots, and data taken out of context.” As an example, the company pointed out that while the critic downplayed its AI capabilities, it also acknowledged that the system automated approximately 70% of a security questionnaire.

Addressing concerns about open-source usage, Delve stated that it had built on an Apache 2.0-licensed repository, which permits commercial use, and that the tool had been significantly modified to support compliance-related applications.

Despite defending its practices, Delve acknowledged the need to rebuild trust with its customers. The company outlined several corrective steps, including reviewing and removing auditing firms that do not meet its standards, offering free re-audits and penetration testing to current clients, and clarifying that its templates—such as those for board meeting documentation—are intended only as starting points.

In a separate post on X, CEO Karun Kaushik reiterated many of these points. Also, he admitted shortcomings, stating that the company had grown rapidly and failed to maintain its own standards. He added an apology to customers, acknowledging the inconvenience caused during the controversy.