TL;DR
Investigation reveals Delve generated fake compliance evidence, falsified auditor independence, and misled hundreds of customers about SOC 2 and ISO 27001 certifications.
Key Points
- Leaked spreadsheet and audit reports exposed fraudulent SOC 2 and ISO 27001 certifications affecting 100+ companies including NASDAQ-traded Duos Edge
- Delve fabricated board meeting minutes, security tests, and control evidence while claiming 100% compliance across all clients
- Leadership knowingly breached AICPA/ISO independence rules by acting as auditors while using rubber-stamp Indian certification mills operating through US shell companies
- Clients unknowingly face criminal HIPAA liability and GDPR fines up to 4% of global revenue due to non-compliant implementations
Why It Matters
This exposes a critical supply chain risk in the compliance-as-a-service ecosystem. Companies relying on Delve for SOC 2, ISO 27001, HIPAA, and GDPR certifications are operating under false compliance claims, creating regulatory exposure for themselves and their customers. Security and compliance professionals need to audit their own certification providers and verify auditor independence to avoid similar fraud.
Source: deepdelver.substack.com