Vendor Compliance Intelligence.
Open Methodology.
Trust Compliance started as a response to the Delve audit scandal - a data leak that revealed hundreds of structurally identical SOC 2 and ISO 27001 reports being sold as independent audits. We've since expanded into a full vendor compliance intelligence platform - monitoring security signals, verifying auditors, and helping companies make informed decisions about their vendor ecosystem.
The Delve incident proved that the compliance industry has a systemic trust problem. Our mission is to give security teams, procurement officers, and compliance leaders the tools they need to verify vendor claims - not just for one scandal, but on an ongoing basis across any vendor, any auditor, and any framework.
What This Site Does
Exposure Checker
Search our database to see if your vendor's compliance reports were produced by the Delve template-based operation.
Report Scanner
Upload any SOC 2 or ISO 27001 report and scan it against our 10 fingerprint patterns to detect template-based reports.
Statistics
Aggregate analysis of 533 leaked reports showing the scale and patterns of the compliance scandal.
Why This Matters
SOC 2 and ISO 27001 reports are the foundation of vendor trust in the B2B software industry. When a company shares their SOC 2 report, they are saying: "An independent auditor verified our security controls." Procurement teams, security teams, and compliance officers rely on these reports to make risk decisions that affect entire organizations.
If those reports were never actually audited - if they were just templates with a company name swapped in - then the entire chain of trust collapses. Companies that relied on these reports may have unknowingly accepted risk they believed was mitigated.
Our goal is to help the security community identify potentially template-based compliance reports and make informed decisions about vendor trust. This is not about shaming individual companies - many of whom may be victims themselves - but about bringing transparency to a systemic failure in the compliance industry.
Methodology: 10 Fingerprint Patterns
We identify potentially template-based reports by scanning for 10 distinct patterns that appear across the leaked Delve reports. Each pattern alone might be explainable; together, they constitute a clear fingerprint of template-based mass production.
Delve Auditor License Number
The exact license number PAC-FIRM-LIC-47383 found in 487 out of 494 Delve SOC 2 reports
Boilerplate Criteria Reference
Exact boilerplate referencing DC Section 200 2018 - appears verbatim across reports
Boilerplate TSP Reference
Verbatim reference to TSP Section 100, 2017 Trust Services Principles
Template Test Procedure
Identical test procedure language used across all reports
Mass 'No Exceptions Noted'
Identical 'No exceptions noted' result across 220+ controls per report
Identical Page Layout (Section 4)
Section 4 starts at the exact same page across all reports - impossible with unique audits
Identical Page Layout (Section 5)
Section 5 starts at page 82 across all reports
Gradient Certification Inc.
Reports signed by Gradient Certification Inc. - identified as a systematic template-based operation
Disaster Recovery Boilerplate
Identical disaster recovery disclaimer from AICPA guidance - copy-pasted across all reports
Identical COSO Framework Count
Exactly 17 COSO Principle references across all reports - same framework, same structure
How We Score Reports
Each fingerprint has a severity weight (Critical = 3, High = 2, Medium = 1). When scanning a report, we check for each pattern and compute a total score against the maximum possible. A report matching 7+ patterns with a score above 70% is flagged as "High confidence Delve template." Reports matching 4-6 patterns are "Likely Delve template." Fewer matches yield "Low confidence" or "No match."
Verification & Sources
Our analysis is grounded in publicly available data. Here is how our key claims can be independently verified.
Data Source
The 533 audit reports covering 455 companies were sourced from publicly leaked documents first reported by independent researchers. The leak was widely covered across security communities and investigative publications.
Template Similarity Analysis
Our "99.8% identical" claim refers to structural and textual similarity across boilerplate sections of the reports - including identical page numbering, identical auditor license references, and identical test procedure language. This was measured by comparing section structure, page layout, and verbatim text blocks across all SOC 2 reports in the dataset.
Fingerprint Detection
Each of the 10 fingerprint patterns is documented above with its prevalence rate. These patterns were identified through manual analysis of the leaked reports and validated by cross-referencing against known legitimate SOC 2 reports. Our scanner is available for anyone to test against their own reports.
Vendor Risk Scoring
Our risk model evaluates vendors across four weighted dimensions: Audit Integrity (35%), Compliance Coverage (25%), Infrastructure & Security (20%), and Transparency & Governance (20%). Individual scores and signal breakdowns are available via our public API.
Operated By
trustcompliance.xyz is operated by Analyxa LLC. For verification inquiries, data corrections, or removal requests, contact [email protected].
All Tools
Company Checker
Search 455+ companies in the leaked database.
Report Scanner
Upload and scan SOC 2 reports for template fingerprints.
Trust Score
Assess vendor trust with a structured questionnaire.
Real or Fake Game
Swipe-style game to spot template-based audit reports.
Auditor Check
Verify if an audit firm is legitimate or flagged.
Playbook
Step-by-step guide to verify compliance reports.
Statistics
Aggregate analysis of 533 leaked reports.
Alternatives
Vetted compliance providers and audit firms.
Check Your Vendor
Search our database of 455+ companies or upload a report to scan it against our fingerprint patterns.
Embed a Trust Badge on Your Site
Show your compliance status with an embeddable badge that checks our database in real-time.
This project is operated by Analyxa LLC, also the team behind LMMarketCap - an AI model intelligence platform. We have no affiliation with any compliance vendor.
Read our legal disclaimer