[throwaway2016a]

There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.

[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.

[hrimfaxi]

Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes.

[throwaway2016a]

100%, accepting pre-generated board meeting notes is egregious. This whole thing is awful and I am in no way defending it. The opposite, I think other compliance as a service companies also need to be scrutinized as well.

[x0x0]

If you aren't either having the minimal meetings or written consents per the requirements for the delaware C, something outside Delve's hands has gone off the rails...

[icedchai]

Many small companies operate without any formal board meetings.

Not every company is a Delaware C corp.

[whatinthenote]

Doesn't seem like a problem with SOC 2 compliance, seems like a problem where a company appointed someone who is not suited to handle a SOC 2 project.

As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.

However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.