Another customer of troubled startup Delve suffered a big security incident
Source: TechCrunch
The compliance startup Delve has been at the center of a series of controversies and security incidents involving its customers.
Background
-
In March, an anonymous whistleblower alleged that Delve was faking customer data and using “rubber‑stamping” auditors for its compliance and certification processes. Delve denied the allegations.
[TechCrunch – Delve accused of misleading customers with fake compliance](https://techcrunch.com/2026/03/22/delve-accused-of-misleading-customers-with-fake-compliance/) -
Around the same time, Delve was accused of taking an open‑source tool and passing it off as its own work without proper license attribution.
[TechCrunch – The reputation of troubled YC startup Delve has gotten even worse](https://techcrunch.com/2026/04/01/the-reputation-of-troubled-yc-startup-delve-has-gotten-even-worse/) -
Following these reports, Y Combinator—the accelerator from which Delve graduated—severed ties with the startup.
[TechCrunch – Embattled startup Delve has part ways with Y Combinator](https://techcrunch.com/2026/04/04/embattled-startup-delve-has-parted-ways-with-y-combinator/)
Recent Security Incidents
Vercel breach via Context AI
-
Vercel disclosed that hackers accessed internal systems and some customer data after an employee downloaded an app built by Context AI and linked it to Vercel’s corporate Google account.
[TechCrunch – Vercel confirms security incident after breach at Context AI](https://techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/) -
Gergely Orosz, author of The Pragmatic Engineer, noted on X that Delve handled Context AI’s security certification.
[X post by Gergely Orosz](https://x.com/GergelyOrosz/status/2046292002225217953) -
Context AI confirmed it had used Delve but has since ditched the startup and is pursuing re‑certification with Vanta and Insight Assurance.
“Yes, Context was previously a Delve customer… We transitioned our compliance program to Vanta and engaged Insight Assurance… We’ll share the new attestation when it is complete.” – Context AI spokesperson
LiteLLM incident
- Hackers attacked LiteLLM, a security‑certification customer of Delve, planting malware in its open‑source code. After the breach, LiteLLM announced it was dropping Delve and seeking a new certification.
[TechCrunch – LiteLLM ditches controversial startup Delve](https://techcrunch.com/2026/03/30/popular-ai-gateway-startup-litellm-ditches-controversial-startup-delve/)
Customer Reactions
-
Lovable, a vibe‑coding platform that previously used Delve, said it ended the relationship in late 2025 after the whistleblower’s allegations surfaced. The company has since completed one security certification and is redoing others.
[LinkedIn post about Lovable’s departure](https://www.linkedin.com/posts/vanta-share-7440811492775563265-EfbB/) -
In early April, Lovable admitted it unintentionally exposed customer chat data publicly, dismissed earlier vulnerability reports, and apologized for initially denying a breach. The issue was attributed to a configuration error rather than a hack.
[X post by Lovable](https://x.com/scrollvoid/status/2046306452462358941)
Whistleblower Allegations
-
The whistleblower, known as DeepDelver, published a follow‑up post alleging that Delve denied refunds to customers while taking a 20‑person off‑site meeting in Hawaii (April 15‑19).
[DeepDelver Substack post](https://deepdelver.substack.com/p/delve-hawaii-edition-part-ii-post?r=7cupua) -
TechCrunch received receipts supporting the Hawaii trip but could not verify the other claims. Delve declined to comment after the publication.
Overall Assessment
Security certifications alone do not prevent breaches; they are intended to verify that a company has policies and processes to mitigate attacks. The recent incidents involving Delve’s customers—Vercel, Context AI, LiteLLM, and Lovable—highlight the limits of certification when implementation and ongoing security hygiene fall short.