Substack report claims Delve issued SOC 2 Type II reports in 2 weeks

• A Substack investigation, amplified by Gergely Orosz's initial thread, alleges Delve issued compliance paperwork on timelines that do not match normal audit practice, including companies appearing "GDPR, SOC2, HIPAA compliant in ~a week."
• The sharpest claim is in Orosz's follow-up post: a Delve-issued SOC 2 Type II report allegedly arrived in two weeks, even though he says "no auditor issues this" without at least a three-month observation window.
• Engineers with audit experience echoed that timeline mismatch. In Orosz's practitioner note, proper compliance work cannot usually be done "in days" unless a vendor is "rubber stamping it."
• Vendors are already distancing themselves. Lovable's company statement said it is not a Delve customer, had already moved to Vanta, and that its current SOC 2 Type II was audited by Prescient Assurance.

The core allegation is not just that Delve moved fast, but that the speed itself may contradict how SOC 2 Type II audits work. Orosz's thread points readers to the Substack report, which claims Delve may be using auditor relationships and processes that do not provide meaningful assurance. He frames the central question in concrete terms: how companies could appear "GDPR, SOC2, HIPAA compliant in ~a week" if the underlying controls were genuinely evaluated.

The most specific example comes from Orosz's testimonial thread and follow-up, which point to a Delve customer testimonial describing a SOC 2 Type II report issued in two weeks. That matters because, as he writes in the post, "no auditor issues this" with less than a three-month monitoring window, with six months more typical. If that timeline is accurate, the dispute is not about marketing language; it is about whether a report labeled Type II could reflect the observation period buyers expect when they review vendor security claims.

The immediate engineering reaction is skepticism toward compliance badges that lack auditable detail. In Orosz's practitioner note, someone familiar with "proper compliance work and audits" says it is "just a lie" that major certifications are typically achievable in days unless a vendor is "rubber stamping it." For teams doing security reviews, that shifts attention from badge presence to basics like the auditor name, report type, and observation period described in the paperwork.

Vendors are also clarifying whether they used Delve at all. Lovable's statement says it "is not a Delve customer," that it moved to Vanta before the current reporting, and that its SOC 2 Type II was independently audited by Prescient Assurance. A separate reaction from a widely shared reply captures the broader uncertainty: "seems like no one was actually a Delve customer....?" That does not answer the report's claims, but it shows how quickly procurement trust can erode once the audit trail itself becomes the story.