Skip to content
Dispatch
Safety · Apr 24, 2026

Delve's security certifications failed to prevent breaches at multiple customers

The troubled compliance startup certified Context AI, LiteLLM, and Lovable—all of which subsequently suffered security incidents. Questions mount about the value of Delve's processes amid whistleblower allegations.

Trust57
HypeLow hype

1 source · cross-referenced

ShareXLinkedInEmail
TL;DR
  • TechCrunch confirmed that Delve performed security certifications for Context AI, which was linked to a breach affecting Vercel after an employee installed a malicious app and granted it access to Google-hosted corporate systems.
  • Delve customers LiteLLM and Lovable also experienced security incidents or data exposure, despite holding Delve certifications.
  • After whistleblower allegations in March 2026 that Delve faked customer data and used rubber-stamping auditors, Context AI, LiteLLM, and Lovable all terminated their relationships with Delve and sought re-certification from other vendors.
  • Y Combinator severed ties with Delve following the controversies.
  • Security certifications are designed to verify policies and processes, not to prevent all attacks; their failure in multiple cases raises questions about Delve's audit rigor.

TechCrunch has confirmed through direct reporting that Delve, a compliance startup under investigation for allegedly faking audits, performed security certifications for Context AI. That confirmation matters because Context AI was subsequently identified as the vector in a Vercel breach: an employee downloaded a Context AI app, granted it access to a corporate Google account, and attackers exploited that access to reach Vercel's internal systems.

The pattern is not isolated. LiteLLM, another Delve customer, suffered a malware injection into its open-source code following a hacker attack. Lovable, which held a Delve certification but left the vendor in late 2025, later admitted to inadvertently exposing customer chat data due to misconfiguration. Neither company's Delve certification prevented or detected these incidents.

In March 2026, an anonymous whistleblower known as DeepDelver alleged that Delve was fabricating customer data and relying on inadequate auditors to rubber-stamp compliance claims. Delve denied the allegations, but the resulting reputational damage prompted multiple customers to exit and seek alternative certifiers. Context AI confirmed it had switched to Vanta and hired Insight Assurance for re-examination. LiteLLM and Lovable similarly announced they were transitioning away from Delve.

Y Combinator, which had backed Delve, terminated its association with the startup. Separately, the whistleblower published allegations that Delve was denying customer refunds while funding an offsite trip to Hawaii, claims TechCrunch said it could partially verify through receipts but could not fully corroborate.

Security certifications are not guarantees against breach; they verify that a company has documented policies and controls in place. However, the concurrent failures at multiple certified customers raise questions about whether Delve's audits were substantive or whether the startup's own reported shortcomings in audit methodology left customers exposed.

Sources
  1. 01TechCrunch — AIAnother customer of troubled startup Delve suffered a big security incident
Also on Safety

Stories may contain errors. Dispatch is assembled with AI assistance and curated by human editors; despite the trust-score filter, mistakes happen. We correct publicly — every article links to its revision history. Nothing here is financial, legal, or medical advice. Verify before relying on any claim.

© 2026 Dispatch. No ads. No sponsorships. No paid placement. Reader-supported via Ko-fi.

Built by a person who cares about honest AI news.