SOC 2 Attestation Requires More Thoughtful Compliance. The Delve Scandal Proves It.

Kanary exists for one reason: to remove human intelligence from digital sources before it can be weaponized by bad actors. We scour the shadowy ecosystem of digital platforms that sell, aggregate or index personal information and we mitigate risks to reduce the human attack surface. That mission isn't just a tagline. It shapes every decision we make, including how we approach compliance.

So when we started our SOC 2 compliance journey and learned that the standard approach to employee background checks meant paying a third-party data broker to verify our hires, we had a problem. Not an administrative one, but a fundamental one: we were being asked to fund the exact machine we're trying to dismantle.

The Uncomfortable Default: SOC 2 Background Checks and Data Brokers

Background check services are convenient, widely accepted, and they get your audit box checked fast. But those services don't just verify identities, they aggregate and resell personal data. They are, in the most literal sense, the industry Kanary exists to fight.

Most people don't realize that the background check industry and the data broker industry are largely the same. When a company runs a background check through a third-party service, they're not hiring an investigator, they're querying a database. That database was built by aggregating public records, purchasing data from other brokers, scraping social profiles, and compiling purchase histories, location data, and behavioral signals from dozens of upstream sources. The employee being checked never consented to their information living in that database and they almost certainly don't know it's there. Additionally, once the check is run, that query becomes another data point in the broker's ecosystem, potentially sold to the next buyer downstream.

This contributes to the spread of personal data risk. Data brokers operate with minimal regulatory oversight in most U.S. states, which means there is no reliable guarantee about how long the employees' information is retained, who else can purchase it, or how securely it's stored. A breach at a background check provider doesn't just expose the report, it can expose the underlying personal data of every individual ever checked through that system: home addresses, financial history, prior employers, and in some cases sensitive legal records. This puts the company in a position where it is exposing employees PII and therefore incurring organizational risk, in the name of a false sense of security.

For Kanary, participating in this process wouldn't just have felt hypocritical. It would have been a small but real betrayal of every person who trusts us with their privacy.

So we didn't do it.

Instead, we built our own alternative: internal reference checks and workplace verification, applied thoughtfully across our small, largely in-network team. When we brought this to our auditors, we didn't just say "we refuse." We came prepared. We explained the risk the control is designed to mitigate — hiring unvetted people — and showed exactly how our approach addressed that same risk.

Auditors aren't unreasonable. SOC 2 is a framework, not a script. And when you demonstrate that the spirit of a control is satisfied, they can work with you.

They said yes.

What SOC 2 Compliance Is Actually For (And Why Most Companies Miss It)

Most companies approach SOC 2 like a DMV visit. A bureaucratic process to get through, ideally as fast as possible, with the least amount of effort required. Whatever an auditor asks for, they comply without always asking if it is in their best interest or within the right context.

An entire industry has emerged to serve that impulse. Compliance automation platforms pitch a compelling story: connect your infrastructure, let the software collect evidence, and emerge with a shiny report. The appeal is obvious. The problem is that it encourages you to outsource your thinking and your accountability to a generic dashboard.

When a CTO approves a security policy based on an auto-generated summary, they've signed off on something they haven't actually read. When "evidence" is collected by software that auto-populates fields, nobody has had the conversation about whether the underlying control reflects how your company actually operates. When compliance becomes a product you buy rather than a posture you build, you're not more secure. You're just more comfortable.

The most valuable parts of our SOC 2 process weren't the checks turning green. They were the debates

• Should we rescope background checks?

• What does least-privilege mean for a small team where people wear multiple hats?

• Where does our real exposure lie, and are we actually addressing it?

Those conversations forced us to think about security in ways no automated tool could prompt. If your compliance process doesn't feel like a series of hard conversations, you probably aren't doing it right. And the consequences of getting this wrong aren't hypothetical.

The Delve Compliance Scandal: What Happens When the Checkbox Mentality Scales

In March 2026, a whistleblower group calling themselves "DeepDelver" published a detailed account of what they alleged to have found inside Delve, a Y Combinator-backed compliance startup that had raised $32 million at a $300 million valuation on the promise of AI-accelerated SOC 2 and ISO 27001 compliance.

What investigators found was striking. According to the account, 493 out of 494 SOC 2 reports were nearly identical. They had the same paragraphs, the same grammatical errors, and the same nonsensical descriptions with only the company name and logo swapped out. Auditor conclusions were pre-written. The "Independent Service Auditor's Report" and all test procedures existed in draft reports before clients had submitted any evidence.

In other words, the compliance wasn't just automated. According to the allegations, it was fabricated. The whistleblowers claimed Delve was “falsely” convincing "hundreds of customers they were compliant" with privacy and security regulations, potentially exposing those customers to criminal liability under HIPAA and hefty fines under GDPR.

DeepDelver also said that Delve was helping those customers "mislead the public by hosting trust pages that contain security measures that were never implemented."

The fallout has been significant:

• Delve is no longer listed among Y Combinator's portfolio companies.

• Insight Partners deleted posts about its investment in the company.

• Downstream exposure reportedly extends to OpenAI, PayPal, Stripe, Amazon, Microsoft, and the U.S. Department of Veterans Affairs, all of which accepted compliance documentation from confirmed Delve customers.

Delve has denied the core allegations, characterizing itself as an automation platform that provides templates to auditors rather than producing attestations directly. The full picture is still being litigated publicly. But even taking the most generous interpretation, the situation illustrates something important: the case highlights the tension between speed and rigor in compliance automation. Startups often compete on their ability to streamline and accelerate traditionally slow processes, but there's a line between automation and abbreviation, and between helping and skipping.

Companies that blindly trusted the output without anyone internally reading, questioning, or owning the substance are now scrambling.

What Blind SOC 2 Compliance Actually Costs

Here's the thing about treating SOC 2 as a product you purchase: it works, until it doesn't.

A compliance report that nobody internally understands is a liability, not a shield. It protects you right up until someone asks a follow-up question, like a sophisticated customer, a regulator, a partner, or a court. At that point, "we used a compliance platform" is not a defense. You are responsible for the security posture you represent to the world.

The Delve scandal makes this visceral. Companies that displayed "Secured by Delve" trust pages were making representations to their customers. Such certifications are intended to show that a company has strong security policies in place to limit the possibility of incidents. Customers relied on those representations. Whether those companies knew what was underneath the badge or not, they owned the claim.

This is the danger of outsourcing not just the process but the thinking. Automation can help you collect evidence at scale, monitor for drift, and keep track of what's due. What it can't do is make your team care about security, understand your actual risk surface, or stand behind a policy they've never engaged with.

Those things require people. They require debate. They require exactly the kind of uncomfortable conversations that most compliance processes are designed to skip.

A Privacy-First Approach to SOC 2

When Kanary decided not to use a data broker for background checks, we didn't just solve a values problem. We forced ourselves to think carefully about what that control actually exists to do, and whether we were genuinely addressing the underlying risk.

That's what SOC 2 can be, if you let it.

Compliance frameworks are written for companies across every industry, of every size, with every kind of team. If you operate in a space with higher scrutiny, like privacy, security, healthcare or finance, the defaults may not fit. And as in our case, some defaults may actively conflict with your mission.

You're allowed to push back. But you have to come prepared. "We don't want to do this" isn't a rescoped control. "Here's how we address the same risk differently, and here's the evidence" is.

That's the conversation worth having — not just with your auditors, but with your own team.

The Bottom Line on SOC 2, Data Privacy, and Secure Compliance

Our customers trust us with deeply personal data because we've committed to protecting them. That commitment can't stop at the product. It has to run through every decision we make, including the ones that are inconvenient.

SOC 2 is one of the few external forces in the software industry that can push companies toward genuine security maturity. It asks hard questions. It demands evidence. It creates accountability. But only if you engage with it honestly, teams read the policies they sign and controls reflect how you actually operate. It’s effective only if you treat the process as a catalyst for real security thinking rather than a ritual to complete as quickly as possible.

The Delve scandal isn't really a story about one bad actor. It's a story about what happens when an entire market decides that compliance is something you buy, not something you build. Hundreds of companies signed off on reports they didn't generate, badges they didn't earn, and trust pages that described controls they hadn't implemented, because the alternative was slower and harder.

Security is a conversation. You owe it to your customers to have it.

If you're a privacy-focused company staring down the compliance gauntlet and wondering whether you can do it without compromising your principles — you can, but you have to show up.

Want to learn more about how we reduce the human attack surface and hold ourselves to a high standard when managing personal data?

Book some time with us here.

____________________________________________________________________________________________

FAQ For Privacy-Conscious Companies Planning For SOC 2 Attestation

Can a privacy-focused startup complete SOC 2 without using data brokers?

Yes. Privacy-first companies can and should push back on compliance defaults that conflict with their mission, provided they come prepared with an alternative that satisfies the underlying risk. This requires engaging directly with auditors about the purpose of each control and demonstrating an equivalent or better mitigation.

What do I need to know about the Delve compliance scandal?

In March 2026, a whistleblower group called DeepDelver alleged that compliance automation startup Delve was generating fraudulent SOC 2 and ISO 27001 reports, with nearly identical language across hundreds of client reports and auditor conclusions pre-written before clients had submitted evidence. Delve denied the allegations. The fallout included Delve being removed from Y Combinator's portfolio and significant downstream exposure for companies that had accepted Delve-issued compliance documentation.

What are the risks of using compliance automation platforms for SOC 2?

Compliance automation tools can help with evidence collection and monitoring, but they create risk when they encourage teams to skip substantive engagement with their security controls. When leadership approves policies they haven't read or controls are auto-populated without review, the resulting report can become a liability rather than a shield, particularly if a customer, regulator, or court asks detailed follow-up questions.

What should companies know before starting SOC 2 compliance?

Treat SOC 2 as a catalyst for genuine security thinking, not a box to check. Read the policies your team signs. Question whether default controls fit your actual operating context. If you use an automation platform, use it for evidence collection, not as a substitute for understanding your own security posture. The hardest conversations in your compliance process are usually the most valuable ones.