Compliance startup Delve just got tied to another customer breach, this time involving Context AI and a cascade that reached hosting giant Vercel. TechCrunch AI reports that Delve handled the security certifications for Context AI, the AI agent training company that disclosed a security incident last week, which then led to a data breach at Vercel. That makes Context AI the second confirmed Delve customer to suffer a serious security event in a matter of weeks.
Here’s how the chain broke, according to TechCrunch AI. A Vercel employee downloaded an app built by Context AI and connected it to Vercel’s corporate Google account. Hackers abused that access to get into Vercel’s internal systems and grab some customer data. Engineering newsletter writer Gergely Orosz flagged on X that Delve was behind Context AI’s certification. Context AI has now confirmed it, telling TechCrunch it dropped Delve after the March reporting, moved its compliance program to Vanta, and hired independent audit firm Insight Assurance to re-examine everything.
The Delve backstory keeps getting worse
This isn’t one bad headline. It’s a pattern. Over the past month, Delve has been dragged through:
- An anonymous whistleblower, DeepDelver, alleging the startup faked customer data and used rubber-stamp auditors
- Hackers planting malware in the open source code of another Delve customer, LiteLLM, which promptly dumped Delve and got re-certified
- Accusations that Delve lifted an open source tool and passed it off as its own without proper license attribution
- Y Combinator, where Delve graduated from, cutting ties with the company
And now a fresh twist: the same whistleblower claims Delve denied customer refunds while flying its 20-plus staff to an offsite in Hawaii between April 15 and April 19. TechCrunch says it saw receipts that back up the trip itself, though it couldn’t verify the refund claim. Delve declined to comment after publication.
What about Lovable?
Lovable, the vibe-coding platform, is a sideline in this story but worth flagging. It was a Delve customer too, dropped the startup in late 2025 after the whistleblower allegations, and has already redone one certification. Then on Monday, Lovable admitted it had inadvertently exposed customer chat data and had dismissed vulnerability reports about it months earlier. The company apologized for initially denying a breach, though it says this was a configuration error, not a hack. Point being, dropping Delve doesn’t automatically fix your security posture.
Why this matters
Security certifications aren’t a shield. They’re supposed to verify that a company has real policies and processes to reduce the odds of a breach. When the certifier itself is accused of shortcuts, every certificate it issued becomes suspect, and every downstream customer who trusted one of those certified vendors inherits the risk. That’s the ugly part of what happened to Vercel. Its employee trusted an app from a certified vendor, and the certification didn’t mean what buyers thought it meant.
For AI practitioners and buyers, a few practical takeaways:
- If your vendor’s compliance attestation came from Delve, assume it needs to be redone by a real auditor. Context AI and LiteLLM are already doing this.
- Treat third-party app connections to corporate accounts as a high-trust action. Vercel’s breach started with one employee linking an external app to a Google workspace.
- Watch where competitors like Vanta and Drata pick up the dropped accounts. The compliance market is about to see a wave of re-certifications.
The bigger story is about trust infrastructure in AI. Fast-moving AI startups are relying on fast-moving compliance startups to tell enterprise buyers they’re safe. When that chain breaks, everyone downstream pays. Expect more shoes to drop as customers audit their Delve-stamped certifications, and expect enterprise procurement teams to start asking much harder questions about who actually did the audit.
More details are in the full TechCrunch AI report.