The ongoing saga of Delve, a compliance startup embroiled in controversy, continues to unfold with new developments. TechCrunch has verified that Delve was responsible for security certifications for Context AI, the AI training startup that recently revealed a security breach, which resulted in a data breach at Vercel, a major app and website hosting provider.
Meanwhile, Lovable, which also experienced a security incident, is no longer a Delve client.
To summarize: Last month, Delve faced criticism when a whistleblower accused the startup of falsifying customer data and using non-stringent auditors for its certifications. Delve has refuted these claims.
Shortly after, a cyberattack targeted one of Delve’s certified clients, LiteLLM, resulting in malware infiltration of its open-source code. Following this, LiteLLM informed TechCrunch it was severing ties with Delve and seeking re-certification.
Delve also faced accusations of improperly claiming an open-source tool as its own creation, leading Y Combinator, from which Delve graduated, to end their association.
Recently, Vercel disclosed a breach of its internal systems in which hackers accessed some customer data. They exploited an employee’s access after downloading a Context AI app linked to Vercel’s Google-hosted corporate account.
Gergely Orosz, writer of The Pragmatic Engineer newsletter, revealed on X that Delve certified Context AI’s security. Context AI confirmed this to TechCrunch but stated it has since moved on to Vanta and is undergoing re-certification.
A Context AI representative said, “Yes, Context was previously a Delve customer. Following March’s reports on Delve, we switched our compliance efforts to Vanta and engaged Insight Assurance for fresh audits. We’re updating our public documents and will release new attestations once finalized.”
Security certifications aim to confirm that a company has measures in place to prevent attacks and protect customer data but cannot guarantee security.
Lovable, previously a Delve client, stated it had abandoned Delve in late 2025 after the whistleblower’s claims. The platform has completed one re-certification and is revisiting others.
Nonetheless, Lovable recently admitted it mistakenly made customer chat data publicly accessible and dismissed earlier reports of vulnerabilities. The company apologized for denying what it had initially termed a breach, attributing it to a configuration error.
Adding to the intrigue, the whistleblower DeepDelver posted allegations that Delve denied refunds to customers but still organized an offsite meeting in Hawaii for its 20-plus team members from April 15 to April 19.
The whistleblower provided evidence of the alleged Hawaii trip to TechCrunch, which, however, could not corroborate other accusations.
Delve has not replied to requests for comment, and an email to its media contacts bounced back.