Vendor transparency & warnings

ISMS Directory curates compliance service providers. We exclude vendors where independent sources have raised significant concerns about their practices. This page explains which vendors we've excluded and why, with links to primary sources so you can verify the evidence yourself.

All claims on this page are based on publicly available, independently verifiable sources. We encourage you to read the primary sources and form your own conclusions.

Delve

Not listed

Documented concerns about compliance report generation

According to an investigation by DeepDelver, corroborated by industry auditor Troy Fine (CPA/CISA/CISSP) and covered by DoControl, Delve reportedly generated pre-written auditor conclusions, test procedures, and final SOC 2 reports from a single template reused across hundreds of clients. The investigation reported that analysis of 494 leaked reports found 99.8% contained identical boilerplate text. Auditor firms named in the reports were reported to have operated through Indian entities using US-registered addresses. The company's CEO denied the allegations in emails to affected clients, which independent sources have disputed. Based on the weight of publicly available evidence, ISMS Directory has chosen not to list this vendor.

Sources

DeepDelver Investigation (Substack)Troy Fine, CPA/CISA/CISSP (LinkedIn)Hacker News Discussion DoControl Analysis

Last updated: March 2026

About this page

ISMS Directory maintains this page to protect the compliance community. Our assessments are based on publicly available evidence from independent third parties. We do not make unsubstantiated claims. If you believe any information on this page is inaccurate, please contact us with supporting evidence and we will review it promptly.