Delve’s Certifications Tied to Vercel Breach Amid Customer Exits and Whistleblower Claims

Allegations against compliance startup Delve intensified as its past security certifications link to a recent Vercel data breach. Vercel, a prominent app and website hosting provider, disclosed an intrusion into its internal systems and some customer data. Attackers gained access after a Vercel employee downloaded an application from Context AI and connected it to their corporate Google account, which then provided an entry point into Vercel's infrastructure.

Context AI, the AI agent training startup central to the Vercel incident, confirmed its prior reliance on Delve for security certifications. However, Context AI switched its compliance program to Vanta and engaged Insight Assurance for new independent examinations after March reports about Delve's operational integrity surfaced. The company is currently updating its public attestations.

Delve directly provided security certifications for Context AI, whose security incident subsequently led to the Vercel data breach. This sequence raises questions about the thoroughness of security certification processes. In a related development, Lovable, another company that previously engaged Delve, admitted to publicly exposing customer chat data due to a configuration error. Lovable further disclosed it had dismissed earlier vulnerability reports that alerted the company to this exact problem, illustrating a failure in prompt remediation.

These events highlight that security certifications, formal assessments designed to verify a company's implementation of security controls, do not inherently prevent security incidents. Organizations must maintain robust, ongoing security practices rather than relying solely on periodic attestations.

What Defenders Should Do: Organizations must prioritize continuous, independent validation of their security posture. Implement stringent vulnerability management programs, ensuring all identified vulnerabilities and configuration weaknesses are promptly addressed. Third-party risk management is paramount; meticulously vet all vendors, especially those with access to sensitive systems or data, irrespective of their stated certifications. Regular penetration tests and security audits should be standard practice, with all findings leading to actionable, documented remediation. Employ the principle of least privilege for all user accounts and applications, limiting access to only what is strictly necessary.

The industry now watches how these incidents reshape expectations for compliance providers and how organizations reassess their dependency on third-party security attestations in an evolving threat landscape.