The story of embattled compliance startup Delve retains hitting twists and turns.
Trendster has confirmed that Delve was the compliance firm that carried out the safety certifications for Context AI, the AI agent coaching startup that final week disclosed a safety incident which led to a knowledge breach at standard app and web site internet hosting big Vercel.
However, Lovable, which had its personal safety incident, is now not a Delve buyer.
To recap: Final month, Delve got here underneath hearth when an nameless whistleblower alleged that the startup was faking buyer information, and utilizing rubber-stamping auditors in its compliance and certifications processes. Delve has denied these allegations.
Quickly afterwards, hackers attacked one in every of Delve’s safety certification clients, LiteLLM, and planted malware in its open supply code. After the incident, LiteLLM advised Trendster it was dumping Delve and getting re-certified.
Delve was additionally accused of taking an open supply software and passing it off as its personal work with out correct license attribution. The startup’s status grew shaky, prompting Y Combinator, the place Delve graduated from, to sever ties.
Quick ahead to final weekend, Vercel mentioned hackers had breached its inside techniques and accessed some buyer information. The corporate mentioned hackers broke in after an worker downloaded an app made by Context AI and related that app to Vercel’s company account hosted by Google. The hackers abused that worker’s entry to their Google account to interrupt into a few of Vercel’s inside techniques.
After Context AI was named within the Vercel assault, Gergely Orosz, creator of the engineering e-newsletter, The Pragmatic Engineer, mentioned in a publish on X that Delve was the corporate that dealt with Context AI’s safety certification.
Context AI has now confirmed to Trendster that it did use Delve, however it has since ditched the startup and is within the strategy of getting re-certified.
“Sure, Context was beforehand a Delve buyer,” a spokesperson for Context AI advised Trendster. “Following the reporting surrounding Delve in March, we transitioned our compliance program to Vanta and engaged Perception Assurance, an unbiased audit agency, to conduct new examinations. As a part of the re-examination, we started updating our public supplies, and we’ll share the brand new attestation when it’s full,” the spokesperson added.
Safety certifications on their very own don’t cease safety points. They’re supposed to confirm that an organization has insurance policies and processes in place to hinder assaults and scale back the chance of buyer information being compromised.
Working example: Lovable was a Delve buyer, however after the whistleblower’s allegations got here out, the vibe-coding platform mentioned it had ditched the startup again in late 2025. The corporate has already re-completed one safety certification, and is in strategy of redoing others, it mentioned.
Nonetheless, Lovable on Monday admitted that it had inadvertently shared entry to buyer chat information publicly. The corporate additionally mentioned it had dismissed vulnerability studies that alerted the corporate to the issue months earlier. Lovable apologized for initially denying there was a knowledge breach, although it mentioned the difficulty was attributable to a configuration error, slightly than a hack.
There’s even weirder information swirling round Delve. The nameless whistleblower, DeepDelver, has revealed one other publish alleging Delve was denying refunds to clients, however nonetheless took its staff of greater than 20 folks to an offsite assembly in Hawaii between April 15 and April 19.
The whistleblower shared some compelling receipts with Trendster that lend credence to the alleged Hawaii journey, however Trendster couldn’t affirm different claims.
After publication, Delve declined remark.
Whenever you buy by way of hyperlinks in our articles, we could earn a small fee. This doesn’t have an effect on our editorial independence.
