A great time to be launching DealCycl Compliance.
This week, a detailed investigation revealed that Delve — a Y Combinator-backed compliance automation startup that raised $32 million at a $300 million valuation — had been systematically fabricating compliance reports for hundreds of clients. The story has since been confirmed and discussed across Techmeme, Hacker News, and multiple independent sources.
The scope is staggering. A leaked Google spreadsheet contained links to 494 draft SOC 2 and ISO 27001 reports — with auditor conclusions pre-written before clients had even submitted their system descriptions. 493 of those reports contained identical boilerplate language. The "US-based CPA firms" conducting the audits turned out to be Indian certification mills operating through shell companies and virtual office addresses. The platform generated fake board meeting minutes, fabricated evidence for employees who never completed onboarding, and hosted trust pages listing security controls that were never implemented.
When the leak was exposed, the CEO called it "falsified claims" from an "AI-generated email."
We weren't surprised
When we read stories like this, we're horrified by the lack of accountability — but we're not surprised. This is the failure mode we've been warning about since we started building DealCycl Compliance.
My co-founder and I spent fifteen years building enterprise GRC platforms — RSA Archer and Lockpath. We've seen what happens when the incentive structure around compliance breaks down. When the goal becomes "get the report as fast as possible" instead of "understand and manage your risk," fraud isn't a bug. It's a feature.
The compliance automation market has raised over a billion dollars in combined funding on a single premise: compliance is slow and painful, and AI can make it fast and easy. That premise is correct. But "fast and easy" without substance isn't compliance. It's a rubber stamp.
And a rubber stamp with a SOC 2 logo on it is worse than no compliance at all — because it gives you false confidence that your security program works when it doesn't.
What compliance actually means
A SOC 2 report is an output. It is not the goal.
The goal is a security program that actually protects your company, your customers, and your data. Policies your team has read, understood, and acknowledged. Controls that are implemented and operating effectively. Evidence that proves they work — not screenshots fabricated by a platform, but real artifacts from your real infrastructure.
When a VC asks for your SOC 2 report during due diligence, they're not asking for a PDF. They're asking whether you run a real security program. When an enterprise customer requires SOC 2 before signing a contract, they're trusting that an independent auditor verified your controls actually work.
That trust is the entire value of compliance. And when a platform fabricates the evidence, pre-writes the auditor's conclusions, and routes the report through a rubber-stamp firm — that trust is destroyed. Not just for that platform's customers, but for every startup that earned their compliance honestly.
Why we built DealCycl Compliance differently
We built DealCycl Compliance because we needed it ourselves. DealCycl handles the most sensitive financial data a private company produces — cap tables, equity ownership, investor information. We need SOC 2. And when we looked at the compliance automation market, we saw exactly the kind of black-box, checkbox-driven approach that just blew up at Delve.
So we built our own tool, and we're using it to run our own compliance program. We are customer zero.
Here's what that means in practice:
You see everything. There is no black box. Every policy, every control, every piece of evidence is visible, editable, and yours. We don't pre-write auditor conclusions. We don't generate fake evidence. We give you the tools to build a real compliance program — and the AI to make it dramatically faster.
AI assists. Humans are accountable. Our AI generates policy drafts tailored to your company's actual tech stack. It suggests controls mapped to framework criteria. It identifies gaps in your program. But every policy is reviewed and published by a human. Every control is verified by a human. Every piece of evidence is real. AI accelerates the work — it doesn't replace the accountability.
We can't fake it. Our own SOC 2 certification depends on DealCycl Compliance working correctly. Every workflow, every evidence collection process, every policy template has been tested on our own program before any external customer touches it. When your compliance vendor is also their own first customer, the incentives are aligned in a way they simply aren't when a 21-year-old is optimizing for speed-to-report at scale.
Your evidence is yours. Open export in PDF, DOCX, and JSON. No proprietary evidence formats. No vendor lock-in. If you want to take your compliance program and move it to another platform tomorrow, you can — with every policy, every control mapping, and every piece of evidence intact. We believe that if you have to trap your customers to keep them, you've already lost.
The lesson
If your compliance vendor can deliver a SOC 2 report in days without you doing any meaningful work, ask yourself one question: what exactly are they attesting to?
Compliance isn't a certificate you buy. It's a program you build. The certificate is proof that the program works — and if the program doesn't exist, the certificate is worthless. Or worse, it's a liability.
The companies that trusted Delve now face a devastating reality: their SOC 2 reports are meaningless, their enterprise contracts may be void, and their actual security posture is unknown. Some of these companies process protected health information for millions of Americans. Some serve defense interests. The consequences of fake compliance aren't hypothetical. They're existential.
This is why we built DealCycl Compliance. Not to give you a faster rubber stamp. To give you a real compliance program — with the AI to make building it dramatically easier, and the transparency to prove it actually works.
Not a rubber stamp. The real thing.
Learn more at dealcycl.com/compliance
Your compliance. Your data.
Chris Goodwin is CEO & Co-Founder of DealCycl.