If your company used Delve for SOC 2 or ISO 27001 compliance, you are likely dealing with a mix of anger, embarrassment, and urgency. The investigative report published on March 19 revealed that Delve fabricated audit reports at industrial scale, and your organization may now be holding a compliance certification that is not worth the PDF it is written on.
This guide is not about assigning blame. It is about what to do right now to protect your organization, your customers, and your business relationships.
Week 1: Immediate assessment
Take down your trust page
If your public trust page was powered by Delve, take it offline immediately. Multiple affected companies have already done this. A trust page displaying fabricated compliance data is worse than having no trust page at all — it actively misleads your customers and partners, and continuing to display it after the scandal is public knowledge compounds your liability.
Identify your auditor
Determine which audit firm signed your SOC 2 or ISO 27001 report. The auditor is critical context for your next steps:
- Accorp, Gradient Certification, or Glocert: These firms were identified as certification mills in the investigation. Reports from these auditors should be considered unreliable. Begin planning a full re-audit.
- Prescient Security/Assurance: Prescient says they conducted audits independently. Read our detailed guide for Prescient clients. Contact them directly to verify the methodology used for your engagement.
- Aprio or another established firm: Contact them directly. Established firms have reputations to protect and will likely cooperate in verifying the integrity of your specific engagement.
Assess what evidence was real
Delve's platform offered one-click adoption of pre-fabricated evidence. Your team needs to honestly assess which controls described in your SOC 2 report actually exist:
- Do your security policies exist, and have employees actually read them?
- Were access reviews actually conducted at the documented frequency?
- Did the board meetings described in your evidence actually occur?
- Was a penetration test actually performed, and do you have the report?
- Is your incident response plan tested, or just a document that was never used?
Be honest with yourself. If you know that Delve's templates were adopted without implementing the actual controls behind them, your compliance gap is not just a paperwork problem — it is a genuine security problem. Your organization may be operating without the security controls your customers believe are in place.
Week 2: Legal and stakeholder assessment
Engage legal counsel
Your legal exposure depends on your industry, the data you process, and the commitments you made to customers based on your SOC 2 report:
- Healthcare / PHI: If you process Protected Health Information and your HIPAA compliance relied on the Delve-issued SOC 2, consult a healthcare compliance attorney immediately. Willful neglect under HIPAA carries criminal penalties.
- EU data / GDPR: If you process EU resident data and represented SOC 2 compliance as evidence of adequate data protection, you may face liability under GDPR Article 83 (fines up to 4% of global annual revenue).
- Enterprise contracts: Review your customer contracts for compliance representations and warranties. Many enterprise agreements include clauses requiring valid compliance certifications. A fabricated SOC 2 may constitute a material breach.
- Public companies: If you are publicly traded (like NASDAQ-listed Duos Edge AI, a Delve client), consult with securities counsel regarding potential disclosure obligations.
Determine notification obligations
Work with legal counsel to determine whether you need to notify:
- Enterprise customers who relied on your SOC 2 for vendor risk decisions
- Partners or resellers who may have represented your compliance status to their customers
- Regulators, particularly if you operate in regulated industries
- Your board of directors
Week 3-4: Begin rebuilding
Choose a legitimate compliance platform
If you plan to use a compliance automation tool (and you should — they genuinely help when used honestly), choose an established platform:
- Vanta — Market leader with 375+ integrations and strong auditor relationships
- Drata — Strong automation with good evidence collection capabilities
- Secureframe — Includes advisory and consulting support
- Sprinto — Budget-friendly option popular with international startups
The key difference between these platforms and Delve: they automate evidence collection and workflow, not evidence fabrication. You still need to actually implement and operate the controls.
Conduct a genuine gap assessment
Before starting a new SOC 2 audit, you need to know where you actually stand. A readiness assessment performed by an independent security firm will identify the gaps between where you are and where you need to be. This is not the same as running a compliance platform's automated checks — it requires human judgment about whether controls are genuinely operating.
Get a real penetration test
If your Delve trust page listed a penetration test that was never conducted, schedule one immediately. A genuine web application pentest is typically the first thing sophisticated enterprise buyers verify, and it is one of the easiest claims to disprove if fabricated.
Select a qualified auditor
For your re-audit, choose a CPA firm with verifiable credentials:
- Verify state CPA board registration independently
- Check AICPA peer review status
- For ISO 27001, ensure the certification body is accredited by a recognized body (UKAS, ANAB, or equivalent IAF member)
- Talk to the auditor directly — not through a platform intermediary
- Ask for references from other clients in your industry
Months 2-6: Operate genuine controls
There is no shortcut here. A SOC 2 Type II observation period exists for a reason: controls need to be operating consistently over time. Use this period to:
- Implement the policies your report claimed you had
- Conduct actual access reviews at the frequency your policy specifies
- Run real security awareness training for all employees
- Establish genuine change management processes
- Test your incident response plan through tabletop exercises
- Perform a real vendor risk assessment of your critical providers
- Deploy logging and monitoring that actually gets reviewed
This work takes months, not days. That is the point. If compliance could legitimately be achieved in days, the framework would have no value.
The opportunity in the wreckage
Here is the uncomfortable truth: if you used Delve, you probably knew something was off. SOC 2 "in days" is not a realistic claim, and most technical founders understand that. The appeal was not that Delve delivered genuine compliance — it was that Delve made the checkbox go away quickly and cheaply so you could close enterprise deals.
The Delve scandal is an opportunity to do it right. Companies that rebuild with genuine controls will not only have a defensible compliance posture — they will have an actual security program that protects their customers. That is what enterprise buyers are really trying to verify when they ask for your SOC 2 report.
Need help rebuilding your compliance program?
We help Delve-affected companies assess their actual security posture, close gaps, and prepare for legitimate re-certification. Penetration testing, readiness assessments, and ongoing security support.
