TechCrunch has confirmed that Delve was the compliance business that performed the security certifications for Context AI, the AI agent training startup that last week disclosed a security incident which led to a data breach at popular app and website hosting giant Vercel. This also touches on aspects of startup.

On the other hand, Lovable, which had its own security incident, is no longer a Delve customer.

To recap: Last month, Delve came under fire when an anonymous whistleblower alleged that the startup was faking customer data and using rubber-stamping auditors in its compliance and certifications processes. Delve has denied those allegations. 

Soon afterwards, hackers attacked one of Delve’s security certification customers, LiteLLM, and planted malware in its open source code. After the incident, LiteLLM told TechCrunch it was dumping Delve and getting re-certified.

Delve was also accused of taking an open source tool and passing it off as its own work without proper license attribution. The startup’s reputation grew shaky, prompting Y Combinator, where Delve graduated from, to sever ties.

Fast-forward to last weekend, Vercel remarked hackers had breached its internal systems and accessed some customer data. The corporation mentioned hackers broke in after an employee downloaded an app made by Context AI and connected that app to Vercel’s corporate account hosted by Google. The hackers abused that employee’s access to their Google account to break into some of Vercel’s internal systems.

After Context AI was named in the Vercel attack, Gergely Orosz, author of the engineering newsletter The Pragmatic Engineer, commented in a post on X that Delve was the enterprise that handled Context AI’s security certification.

Context AI has now confirmed to TechCrunch that it did apply Delve, but it has since ditched the startup and is in the process of getting re-certified. 

“Yes, Context was previously a Delve customer,” a spokesperson for Context AI told TechCrunch. “Following the reporting surrounding Delve in March, we transitioned our compliance program to Vanta and engaged Insight Assurance, an independent audit firm, to conduct updated examinations. As part of the re-examination, we began updating our public materials, and we’ll share the latest attestation when it is complete,” the spokesperson added. 

Security certifications on their own don’t stop security issues. They are intended to verify that a corporation has policies and processes in place to hinder attacks and reduce the likelihood of customer data being compromised. 

Case in point: Lovable was a Delve customer, but after the whistleblower’s allegations came out, the vibe-coding platform commented it had ditched the startup back in late 2025. The firm has already re-completed one security certification, and is in process of redoing others, it said. 

Still, Lovable on Monday admitted that it had inadvertently shared access to customer chat data publicly. The corporation also mentioned it had dismissed vulnerability reports that alerted the organization to the problem months earlier. Lovable apologized for initially denying there was a data breach, though it stated the issue was caused by a configuration error, rather than a hack.

There’s even weirder news swirling around Delve. The anonymous whistleblower, DeepDelver, has published another post alleging Delve was denying refunds to customers, but still took its team of more than 20 humans to an offsite meeting in Hawaii between April 15 and April 19.  

The whistleblower shared some compelling receipts with TechCrunch that lend credence to the alleged Hawaii trip, but TechCrunch could not confirm other claims.

After publication, Delve declined comment.

Topics

When you purchase through links in our articles, we may earn a modest commission. This doesn’t affect our editorial independence.