The story of troubled compliance startup Delve has its ups and downs.
TechCrunch has confirmed that Delve was the compliance company that performed security certification for AI agent training startup Context AI, which last week disclosed a security incident that led to a data breach at popular app and website hosting giant Vercel.
On the other hand, Lovable, which had its own security incident, is no longer a Delve customer.
In short: Last month, Delve came under fire when an anonymous whistleblower alleged that the startup was manipulating customer data, and using rubber-stamping auditors in its compliance and certification processes. Delvey has denied those allegations.
Soon after, hackers attacked LightLLM, one of Delve’s security certification customers, and inserted malware into its open source code. Following the incident, LightLLM told TechCrunch it was leaving Delve and re-certifying.
Delve was also accused of taking an open source tool and presenting it as its own work without the proper license. The startup’s reputation became shaky, prompting Y Combinator, where Delvey graduated from, to sever ties.
Fast forward to last weekend, Vercell said hackers had broken into its internal systems and accessed some customer data. The company said the hackers broke in after an employee downloaded an app created by Context AI and connected that app to Versal’s corporate account hosted by Google. The hackers misused that employee’s access to their Google account to break into some of Versal’s internal systems.
After Context AI was named in the Vercell attack, Gergely Oroz, author of the engineering newsletter, The Pragmatic Engineer, said in a post on X that Delve was the company that handled the security certification of Context AI.
Context AI has now confirmed to TechCrunch that it did use Delve, but has since left the startup and is in the process of getting recertified.
“Yes, Context was previously a Delve customer,” a spokesperson for Context AI told TechCrunch. “Following the reporting around Delve in March, we transferred our compliance program to Venta and hired an independent audit firm, Insight Assurance, to conduct new examinations. As part of the re-examination, we began updating our public materials, and we will share the new verification when it is complete,” the spokesperson said.
Security certificates do not prevent security problems by themselves. Their purpose is to verify that a company has policies and procedures in place to prevent attacks and reduce the possibility of customer data being compromised.
Case in point: Lovable was a Delve customer, but after the whistleblower allegations surfaced, the vibe-coding platform said it had left the startup at the end of 2025. The company has already re-completed one security certification, and is in the process of re-doing others, she said.
Still, Lovable acknowledged on Monday that it had inadvertently publicly shared access to customer chat data. The company also said it has dismissed vulnerability reports that alerted the company to the problem months ago. Lovable initially apologized for denying the data breach, although it said the problem was caused by a configuration error rather than a hack.
There are more strange reports circulating around Delve. The anonymous whistleblower, DeepDelver, published another post alleging that Delve was refusing to give refunds to customers, but still took his team of more than 20 people to an offsite meeting in Hawaii between April 15 and April 19.
The whistleblower shared some fascinating receipts with TechCrunch that lend credibility to the alleged air travel, but TechCrunch couldn’t confirm other claims.
Delve did not respond to requests for comment and confirmation, and an email sent to its media relations address bounced.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
