Back to Blog
April 23, 2026 Julie Bort

Delve Customer Context AI Suffers Security Incident

Delve Customer Context AI Suffers Security Incident Delve Customer Context AI Suffers Security Incident Delve Customer Context AI Suffers Security Incident

Another Customer of Troubled Startup Delve Suffered a Big Security Incident

This article details a series of security incidents and allegations surrounding the compliance startup Delve and its clients, including AI agent training startup Context AI and the hosting giant Vercel.

Key Incidents and Allegations:

  • Delve's Role in Context AI Breach: TechCrunch confirmed that Delve provided security certifications for Context AI. A security incident at Context AI subsequently led to a data breach at Vercel, a major app and website hosting provider.
  • Whistleblower Allegations: Delve faced accusations from an anonymous whistleblower (DeepDelver) of faking customer data and using rubber-stamping auditors for its compliance and certification processes. Delve has denied these claims.
  • LiteLLM Incident: Hackers attacked LiteLLM, a Delve customer, planting malware in its open-source code. LiteLLM subsequently terminated its relationship with Delve and sought re-certification.
  • Open Source Misappropriation Allegation: Delve was also accused of taking an open-source tool and presenting it as its own work without proper licensing.
  • Y Combinator Severance: Due to the mounting reputational damage, Delve parted ways with Y Combinator.
  • Vercel Breach: Hackers breached Vercel's internal systems and accessed customer data after exploiting an employee's access to a Context AI application connected to Vercel's corporate Google account.
  • Context AI's Response: Context AI confirmed its past relationship with Delve but stated it has since transitioned its compliance program to Vanta and engaged Insight Assurance for re-examinations.
  • Lovable's Incident: Lovable, another former Delve customer, admitted to inadvertently sharing customer chat data publicly and dismissing vulnerability reports. The company attributed the issue to a configuration error, not a hack.
  • Hawaii Offsite Allegation: The whistleblower DeepDelver alleged that Delve denied refunds to customers while simultaneously taking its team on an offsite meeting in Hawaii.

Implications for Security Certifications:

  • Security certifications are designed to verify that a company has policies and processes to hinder attacks and reduce the likelihood of customer data compromise, but they do not prevent security issues entirely.
  • The incidents highlight the critical importance of robust security practices and the potential downstream impact when a compliance provider faces scrutiny.