Built by Security Practitioners.
Open Methodology.
trustcompliance.xyz exists because the compliance industry has a trust problem. In late 2024, a data leak from the Delve compliance platform revealed hundreds of SOC 2 and ISO 27001 audit reports that were structurally identical — differing only in the company name stamped on the cover page.
This means hundreds of companies paid for "independent audits" and received what appears to be the same mass-produced template. Their customers, investors, and partners relied on these reports to make trust decisions — decisions that may have been based on fraudulent documentation.
What This Site Does
Exposure Checker
Search our database to see if your vendor's compliance reports were produced by the Delve compliance mill.
Report Scanner
Upload any SOC 2 or ISO 27001 report and scan it against our 10 fingerprint patterns to detect template-based fraud.
Statistics
Aggregate analysis of 533 leaked reports showing the scale and patterns of the compliance fraud operation.
Why This Matters
SOC 2 and ISO 27001 reports are the foundation of vendor trust in the B2B software industry. When a company shares their SOC 2 report, they are saying: "An independent auditor verified our security controls." Procurement teams, security teams, and compliance officers rely on these reports to make risk decisions that affect entire organizations.
If those reports were never actually audited — if they were just templates with a company name swapped in — then the entire chain of trust collapses. Companies that relied on these reports may have unknowingly accepted risk they believed was mitigated.
Our goal is to help the security community identify potentially fraudulent compliance reports and make informed decisions about vendor trust. This is not about shaming individual companies — many of whom may be victims themselves — but about bringing transparency to a systemic failure in the compliance industry.
Methodology: 10 Fingerprint Patterns
We identify potentially fraudulent reports by scanning for 10 distinct patterns that appear across the leaked Delve reports. Each pattern alone might be explainable; together, they constitute a clear fingerprint of template-based mass production.
Delve Auditor License Number
The exact license number PAC-FIRM-LIC-47383 found in 487 out of 494 Delve SOC 2 reports
Boilerplate Criteria Reference
Exact boilerplate referencing DC Section 200 2018 — appears verbatim across reports
Boilerplate TSP Reference
Verbatim reference to TSP Section 100, 2017 Trust Services Principles
Template Test Procedure
Identical test procedure language used across all reports
Mass 'No Exceptions Noted'
Identical 'No exceptions noted' result across 220+ controls per report
Identical Page Layout (Section 4)
Section 4 starts at the exact same page across all reports — impossible with unique audits
Identical Page Layout (Section 5)
Section 5 starts at page 82 across all reports
Gradient Certification Inc.
Reports signed by Gradient Certification Inc. — identified as a certification mill
Disaster Recovery Boilerplate
Identical disaster recovery disclaimer from AICPA guidance — copy-pasted across all reports
Identical COSO Framework Count
Exactly 17 COSO Principle references across all reports — same framework, same structure
How We Score Reports
Each fingerprint has a severity weight (Critical = 3, High = 2, Medium = 1). When scanning a report, we check for each pattern and compute a total score against the maximum possible. A report matching 7+ patterns with a score above 70% is flagged as "High confidence Delve template." Reports matching 4-6 patterns are "Likely Delve template." Fewer matches yield "Low confidence" or "No match."
Check Your Vendor
Search our database of 455+ companies or upload a report to scan it against our fingerprint patterns.
This project is maintained by independent security practitioners. We have no affiliation with any compliance vendor.
Read our legal disclaimer