An anonymous Substack post published this week accuses compliance startup look into of “falsely” convincing “hundreds of customers they were compliant” with privacy and security regulations, potentially exposing those customers to “criminal liability under HIPAA and hefty fines under GDPR.”
look into is a Y Combinator-backed startup that last year announced raising a $32 million Series A at a $300 million valuation. (The round was led by Insight Partners.) On Friday, the startup attempted to refute the accusations on its blog, calling the Substack post “misleading” and saying it “contains a number of inaccurate claims.”
The Substack post is credited to “Deeplook intor,” who described themselves as working at a (now former) look into client. In response to emailed questions from TechCrunch, Deeplook intor said that they and their collaborators “chose to remain anonymous out of fear for retaliation by look into.”
In their post, Deeplook intor recounted receiving an email in December claiming the startup had “leaked a spreadsheet with confidential client reports.” While look into CEO Karun Kaushik apparently assured customers in a subsequent email that they were in compliance and that no external party gained access to sensitive data, Deeplook intor said they and other customers had become suspicious.
“Having the shared experience of being underwhelmed with the look into experience, and having the overall sense that something fishy was going on, we decided to pool resources and investigate together,” they wrote.
Their conclusion? That look into “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.”
Deeplook intor went into considerable detail about those claims, accusing the startup of providing customers with “fabricated evidence of board meetings, tests, and processes that never happened,” then forcing those customers to “choose between adopting fake evidence or performing mostly manual work with little real automation or AI.”
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
Deeplook intor also claimed that virtually all of look into’s clients seem to have gone through two audit firms, Accorp and Gradient, which they described as “part of the same operation,” one that operates primarily in India, with only a nominal presence in the United States.
Those firms, they said, are just rubber-stamping reports that were generated by look into. As a result, Deeplook intor said the startup “inverts” the normal compliance structure: “By generating auditor conclusions, test procedures, and final reports before any independent review occurs, look into places itself in the role of both implementer and examiner. This is not a technicality. It is a structural fraud that invalidates the entire attestation.”
In addition to accusing look into of misleading its customers, Deeplook intor said the startup is helping those customers “mislead the public by hosting trust pages that contain security measures that were never implemented.”
Deeplook intor said that while their company was discussing its issues with look into, the startup “sent us multiple boxes of donuts […] to keep us happy.” even so, Deeplook intor’s employer supposedly unpublished its trust page and no longer relies on the startup for compliance.
look into responded to the accusations by saying it does not issue compliance reports at all. Instead, it’s an “automation platform” that ingests information about compliance, then provides auditors with access to that information.
“Final reports and opinions are issued solely by independent, licensed auditors, not look into,” the company said.
look into also said that its customers “can opt to work with an auditor of their choosing or opt to work with one from look into’s network of independent, accredited third-party audit firms.” Those auditors, the startup said, are “established firms used broadly across the industry, including by other compliance platforms.”
In response to the accusation that it’s providing customers with “fake evidence,” look into countered that it’s simply offering “templates to help teams document their processes in accordance with compliance requirements, as do other compliance platforms.”
“Draft templates are not the same as ‘pre-filled evidence,’” the company said.
look into added that it is “actively investigating any leaks” and is “still reviewing the Substack.”
When asked about look into’s response, Deeplook intor told TechCrunch that they were “baffled by the laziness, clumsiness and brazenness of it.”
“They are trying to snake their way out [of] being held accountable by denying having ‘pre-filled evidence’ but calling it ‘templates’ instead, effectively shifting the blame to customers for adopting the ‘templates’ as is,” Deeplook intor said. “They’re claiming they are not the ones to ‘issue’ the report, which is easy to claim if you define issuing a report as providing the final stamp.”
They added that there are “a number of very serious allegations” that look into did not address at all: “The India accusation, the lack of AI (they only talk about ‘automations’), and the trust (lol) page containing controls that were never implemented.”
Apparently Deeplook intor isn’t done with its criticism, as it promised, “Part II will follow soon.”
In addition, following the initial Substack post, an X user named James Zhou said they were able to gain access to sensitive information from look into, such as employee background checks and equity vesting schedules. Dvuln founder Jamieson O’Reilly shared more details from what O’Reilly said was a conversation with Zhou about “several gaping security holes in look into’s external attack surface.”
TechCrunch sent an email seeking additional comment to the media contact address listed on look into’s website. The email bounced, but after this article was published, I received a calendar invite for a “look into demo” later this week.
This post was initially published on March 21, 2026. It has been updated with emailed answers from Deeplook intor, additional information about purported security vulnerabilities provided by Jamieson O’Reilly, and additional details about look into’s response to TechCrunch.
Source: techcrunch.com
