Delve, a London-based SaaS company specializing in workplace analytics, has been accused of misleading customers by falsely claiming compliance with key data protection regulations, according to a regulatory filing by the UK Information Commissioner’s Office (ICO). The allegations stem from a formal investigation launched in 2025 after complaints from multiple enterprise clients who alleged the company had overstated its adherence to GDPR and other privacy standards in marketing materials and contractual agreements.
The ICO’s findings, published this week, reveal that Delve’s public-facing documentation and customer contracts included assertions of full compliance with the General Data Protection Regulation (GDPR), UK GDPR, and international data transfer frameworks such as the EU-US Data Privacy Framework. However, the regulator determined that these claims were not substantiated by Delve’s actual data processing practices, which were found to lack necessary safeguards, including adequate data encryption and user consent mechanisms.
In a statement, the ICO confirmed that Delve has been issued with an enforcement notice requiring the company to immediately cease any misleading compliance representations. The regulator also imposed a £500,000 fine, citing “significant breaches of transparency and accountability obligations under data protection law.” Delve has 30 days to appeal the decision or submit a corrective action plan.
The controversy has raised concerns among Delve’s customer base, many of whom are large corporations in the financial and healthcare sectors that rely on third-party vendors to meet stringent regulatory requirements. One unnamed enterprise client, speaking on condition of anonymity, told TechCrunch that they had conducted an internal audit last year after noticing discrepancies in Delve’s compliance claims, prompting them to switch to an alternative provider.
Delve has not responded publicly to the ICO’s findings, but in an internal memo obtained by this publication, the company’s CEO acknowledged “regulatory oversights” and pledged to “undertake a comprehensive review of all compliance-related materials and processes.” Industry analysts suggest the case highlights growing scrutiny of SaaS vendors’ privacy claims, particularly as organizations face heightened enforcement under evolving global data laws.
Original Source: Read original article