This page is for informational and awareness purposes only. The situation described is based on publicly available reports and industry discussions. Cloudserve Systems does not make any legal claims regarding third-party audits or certifications.
To independently verify whether your organisation may be listed as a customer or vendor, you may refer to publicly available information here: dupedbydelve.com
⚠ Delve Scandal — March 2026

Was Your SOC 2 Affected by Delve?

494 fake compliance reports. 58 companies named. If your organisation used Delve for SOC 2, ISO 27001, HIPAA or GDPR — your certification is invalid. Cloudserve provides fast, legitimate, AICPA-registered re-audits. You already paid Delve — and now you need the same work done again. As a gesture of support, Cloudserve is providing one-time help: fast, legitimate, AICPA-registered re-audits with full end-to-end guidance at a fair and affordable cost..

Consulting and readiness support is delivered by our India-based team, while the audit is conducted by a licensed CPA firm in the USA — ensuring both affordability and compliance credibility.

Get a Free Re-Audit Assessment Understand the Scandal
494
Fabricated SOC 2 Reports
81
Fake ISO 27001 Certifications
58
Companies Named Publicly
99.8%
Reports — Identical Boilerplate
$300M
Delve's Series A Valuation
~436
Companies Still Unidentified
Lovable ($6.6B) Duos Edge AI — NASDAQ: DUOT Sully — VA Hospital AI Knowtex — FedRAMP Slash — Series B $60M Bland — Series B $65M WisprFlow — 270+ Fortune 500 Greptile — Stripe & Amazon 11x — a16z backed micro1 — $500M valuation Incorta — Series D $202M Ziina — Series A $22M Coretsu — Federal AI Sentra — Series B $100M+ +444 more companies unidentified      Lovable ($6.6B) Duos Edge AI — NASDAQ: DUOT Sully — VA Hospital AI Knowtex — FedRAMP Slash — Series B $60M Bland — Series B $65M WisprFlow — 270+ Fortune 500 Greptile — Stripe & Amazon 11x — a16z backed micro1 — $500M valuation Incorta — Series D $202M Ziina — Series A $22M Coretsu — Federal AI Sentra — Series B $100M+ +444 more companies unidentified
The Scandal Explained

What Actually Happened with Delve

The largest compliance fraud in SaaS history — and why every Delve-issued report must be treated as invalid.

 Pre-Written Auditor Conclusions

Delve embedded auditor conclusions and licence IDs into draft SOC 2 and ISO 27001 reports before any evidence was submitted. The audit outcome was predetermined — making every report fraudulent from the outset.

 99.8% Identical Boilerplate

An analysis of 494 SOC 2 reports found that 99.8% shared word-for-word identical language across all clients — control descriptions, risk assessments, and auditor commentary were simply copy-pasted wholesale.

 How the Scandal Was Uncovered

A misconfigured Google Spreadsheet belonging to Delve was accidentally made public in late 2025, exposing links to hundreds of confidential draft audit reports. Independent investigators — "DeepDelver" — analysed the leak and published their findings, triggering enterprise re-questionnaires industry-wide.

Timeline of Events

2022 – 2024

Delve raises $32M, grows to 500+ clients

Backed by Insight Partners at a $300M valuation. Marketed as an AI-powered GRC automation platform for YC-backed startups and growth-stage companies globally.

Late 2025

Google Spreadsheet accidentally exposed

Delve's internal spreadsheet containing links to hundreds of confidential draft compliance reports becomes publicly accessible due to a misconfiguration.

Early 2026

DeepDelver investigation published

Former customers analyse the leaked data and publish a detailed exposé revealing that auditor conclusions were pre-written before any evidence was ever collected from clients.

March 2026

58 companies named; ~436 still unidentified

494 SOC 2 and 81 ISO 27001 reports confirmed fabricated. Affected companies include a NASDAQ-listed firm, Series B startups, and HIPAA-covered healthcare AI providers serving the US Department of Veterans Affairs.

Now

All Delve reports must be treated as invalid

Enterprise buyers are issuing re-questionnaires across their vendor base. Legal and regulatory exposure is real. Remediation must begin immediately.

Legal & Regulatory Exposure

What This Means for Your Company

The consequences of a fabricated compliance report are severe, immediate, and cannot be ignored.

Critical — HIPAA

Criminal Liability for PHI Processors

Companies processing Protected Health Information face potential criminal liability. A fabricated SOC 2 does not satisfy the HIPAA Security Rule's administrative safeguards. Affected companies include Sully, Knowtex, Bland, and WisprFlow — some deployed inside VA hospitals.

Critical — GDPR

Fines Up to 4% of Global Revenue

Companies processing EU personal data face fines up to 4% of global annual revenue under GDPR Article 83. A fraudulent ISO 27001 certificate voids the Article 32 "appropriate technical measures" defence entirely.

Critical — SEC

Securities Fraud Risk

Duos Edge AI (NASDAQ: DUOT) marketed "SOC 2 Type II–audited" status in SEC filings. The report claimed coverage for five Trust Service Criteria but actually covered only Security — constituting potential securities fraud.

High — Vendor Trust

Enterprise Customer Fallout

Every enterprise customer who accepted a Delve report during vendor security reviews now has a gap in their third-party risk management audit trail — and re-questionnaires are being sent across the industry right now.

High — AICPA Violations

Breach of Professional Standards

Delve violated AICPA standards by acting simultaneously as both advisor and auditor — a fundamental conflict prohibited under AT-C Section 205. Neither Accorp nor Gradient were registered CPA firms.

Moderate — Contracts

Contractual Breach Exposure

Many enterprise contracts require valid, independently audited SOC 2 compliance as a service condition. A fabricated certification may constitute a material breach, enabling contract termination or legal claims.

Why Cloudserve

Delve vs Cloudserve — The Difference Is Everything

Cloudserve is the opposite of what Delve did. Every audit we perform is legitimate, independently verified, and fully AICPA-compliant.

❌  What Delve Did ✅  What Cloudserve Does
Pre-written auditor conclusions before any evidence review Every finding based on actual evidence collected from your systems
Identical boilerplate copy-pasted across 494 reports Bespoke audit tailored to your actual control environment
Auto-generated evidence for controls that never existed Real evidence collection, control walkthroughs, and testing
No traceability, no audit trail, no version history Full audit trail, version-controlled documentation, complete records
Acted as both advisor and auditor — an AICPA violation Clear separation: Cloudserve advises; independent CPA audits
Hidden offshore operations, fabricated UK/US addresses Transparent India-based team with direct client access and accountability
$300M valuation, zero real compliance delivered Supportive and fair pricing — designed for companies already impacted by Delve
Our Process

How Cloudserve Re-Audits Work

End-to-end support from gap assessment to a valid, signed audit report — faster and more affordably than anyone in the market.

1

Gap Assessment

We review your existing Delve documentation and map what evidence actually exists versus what was fabricated.

2

Remediation Roadmap

We build a prioritised plan to close genuine control gaps — addressing what Delve's one-click evidence generation may have missed entirely.

3

Evidence Collection & Readiness

Our team guides yours through real evidence gathering, policy documentation, and control walkthroughs. No fabrication — ever.

4

AICPA-Registered Audit

Our India-based team handles full readiness and coordination, while the audit is conducted by a licensed CPA firm in the USA — ensuring independence and compliance. This approach allows us to conduct a proper SOC 2 Type I or Type II audit that will hold up to enterprise scrutiny.

5

Signed Report & Trust Page

You receive a valid, signed audit report and a legitimate trust page — replacing all Delve-issued reports that must be retracted immediately.

6

Ongoing Compliance Support

Continuous monitoring, annual re-attestation, and questionnaire assistance — so you never face this situation again.

Our Advantages

Why Companies Choose Cloudserve for Re-Audits

Proven compliance expertise. Honest pricing. Full accountability.

Supportive & Fair Pricing

As you have already invested with Delve, our approach is to support you with a fair and affordable re-audit — focusing on helping you recover

60% Faster Than Traditional Audits

Accelerated readiness approach with experienced compliance team moves you from gap assessment to signed report significantly faster than industry average.

SOC 2, ISO 27001, HIPAA, GDPR

We cover every framework Delve may have fabricated — under one roof, with consistent methodology and complete audit trails.

End-to-End Support

Dedicated compliance consultant. Direct access. No hidden handoffs to offshore shell companies. You know exactly who is working on your audit.

Strict AICPA Compliance

We strictly separate advisory and audit functions. The CPA firm signing your report is properly licensed, independent, and conflict-free.

India Consulting + USA CPA Audit

All consulting, readiness, and support is delivered by our India-based team, while the final audit is performed by an independent CPA firm in the USA — ensuring both affordability and global compliance acceptance.

Questionnaire Response Support

As enterprise customers send re-questionnaires following the scandal, our team helps you respond accurately and quickly — protecting every active deal.

Transparent Pricing

Choose Your Re-Audit Programme

No hidden fees. No fabricated shortcuts. Clear scope from day one.

Re-Audit for SOC 2

SOC 2 Type I or Type II re-audit for companies whose Delve-issued report is invalid — start from scratch, done right.
  • Full gap assessment against your existing Delve artifacts
  • Remediation roadmap & policy documentation support
  • Real evidence collection and control walkthroughs
  • Coordination with AICPA-registered CPA firm
  • Trust page setup and retraction of Delve report
  • Questionnaire response support (12 months included)
Get a Quote

Multi-Framework Bundle

SOC 2 + ISO 27001 + HIPAA / GDPR — ideal if Delve fabricated multiple certifications across frameworks.
  • Everything in the SOC 2 Re-Audit, plus:
  • ISO 27001 re-certification with accredited body
  • HIPAA gap assessment & full remediation plan
  • GDPR Article 32 technical measures assessment
  • Unified evidence repository across all frameworks
  • Priority turnaround & dedicated senior consultant
  • Continuous monitoring setup for all frameworks
  • Year 1 annual re-attestation support included
Get a Quote

All engagements are individually quoted based on scope. Free consultation — no obligation.

Common Questions

Frequently Asked Questions

Everything you need to know about the Delve situation and your remediation options.

How do I know if my company was affected by Delve? +
If your company used Delve's platform for SOC 2, ISO 27001, HIPAA, or GDPR compliance, your certification should be treated as potentially invalid. 58 companies have been named publicly at dupedbydelve.com, but approximately 436 more remain unidentified. Contact Cloudserve for a free assessment — we will review your documentation and confirm your exposure.
Do I need to notify my customers about this? +
Yes. Any enterprise customer who accepted a Delve-issued compliance report during a vendor review should be notified that the report is invalid. This may be required contractually or by regulation (particularly under GDPR and HIPAA). Companies that respond fast and transparently retain customer trust; those that delay lose it.
Can I reuse any evidence or policies Delve helped create? +
No. We strongly recommend starting from scratch. Delve's one-click evidence generation means that evidence in your reports may describe controls that do not actually exist in your environment. Reusing this material risks building your new audit on the same fraudulent foundation. Cloudserve conducts a fresh gap assessment to determine your actual security posture.
How quickly can Cloudserve complete a SOC 2 re-audit? +
A SOC 2 Type I can typically be completed in 6–10 weeks from kickoff, depending on your existing security posture. A SOC 2 Type II requires a minimum 6-month observation period as required by AICPA standards. We offer prioritised engagement for companies with urgent enterprise customer requirements.
What should I do right now, before arranging a re-audit? +
Act immediately: (1) Unpublish your Delve trust page and remove all compliance badges referencing Delve-issued reports. (2) Notify enterprise customers that your Delve report is under review. (3) Preserve all Delve-issued reports, trust page screenshots, and communications — these may be needed for legal proceedings. (4) Consult legal counsel if you process PHI, EU personal data, financial data, or government data. Then contact Cloudserve to begin a free gap assessment.
Is Cloudserve's pricing affordable for companies impacted by Delve? +
Yes. Since companies have already incurred costs with Delve, our approach is to provide fair and affordable pricing focused on recovery and remediation. Our India-based consulting team reduces overall cost, while the audit is conducted by a properly registered CPA firm in the USA.

494 fake reports. Ensure your compliance is valid and trusted

Cloudserve delivers legitimate, affordable, end-to-end compliance re-audits — from gap assessment to signed report. Start today.

Get a Free Assessment