On March 17, 2025, the tech and business community on X woke up to some explosive accusations between two well-known startups in Silicon Valley. The CEO of Rippling, Parker Conrad, filed a lawsuit against their competitor, Deel, and accused them of "cultivating a spy" inside of Rippling, and using that person to pass along sensitive information from Rippling's internal systems to help Deel's business. It all started with a single tweet:

While the original allegations were denied by Deel's legal team in a statement, new developments in the story came to light on April 2nd, when the person who served as the spy, Keith O'Brien, testified via an affidavit that he had indeed served as a corporate spy under the direction of the Deel CEO, Alex Bouaziz.

The story itself feels as if it's taken from a movie, complete with a "honey-pot" scheme to try to discover the spy, a physical chase through the office, and an alleged offer to move the spy's family to Dubai. The coverage of the case has been extensive, and I won't try to summarize it all here. However, in this post, I'd like to share my own thoughts about the case as a founder of a startup in Silicon Valley, as I, like many interested in the drama, had many questions about the events that happened and what they might mean. Before I dive in, I want to state that I'm not a lawyer and none of this should be taken as legal advice. I just did my own research and I hope it helps those who are interested. I'll start with some of the biggest questions I had:

Is it illegal to be a corporate spy?

Yes. Being a "corporate spy", or in more legal terms committing corporate espionage, is illegal in the United States under the Economic Espionage Act passed in 1996. Under this law, committing corporate espionage, which can be loosely summarized as stealing trade secrets, is a federal offense.

As a follow up, the National Information Infrastructure Protection Act of 1996 was also enacted, which amended the language of the original act to be more specific about computer related espionage and the theft of sensitive digital information.

Of course, the actual definition of what a corporate spy is, or what counts as corporate espionage, is often determined in court. For example, using published sources of information, such as a public blog post or website, to gain a business advantage likely wouldn't count as corporate espionage. However, copying a internal document and then sharing it with another party secretly could be - much of the final conviction however, would come down to the judge and evidence in the case.

It's not possible to pass judgement without looking at all the evidence in a case, and as an outsider, it's best to assume innocent until proven guilty. That said, in the case of the spy in Rippling vs Deel, there does seem to be a solid amount of evidence in the released affidavit that points to illegal activity. In the affidavit, the spy documents screen recording internal Slack channels, pulling specific and sensitive information about certain customers at Rippling, and specific sales documents including a Deel "battlecard", which Rippling sales team members used to convince customers to switch to Rippling. In my personal opinion, this does seem to cross the line into corporate espionage and what would be considered illegal by law.

Can you go to jail for being a corporate spy?

Yes, being a corporate spy is a federal offense that can be punishable by a fine, or up to ten years in jail, or both. The Economic Espionage Act defines these punishments and also includes language that an organization that is convicted of corporate espionage can face up to 10 million dollars in fines.

Leaders of organizations, like Alex Bouaziz in this case, can also face of jail time if they are proven to be responsible in the case. Of course, there will be lengthy legal proceedings to prove guilt beyond a reasonable doubt, and that is what likely will happen in the case of Rippling vs Deel when it comes to a jury's decision on whether Alex Bouaziz may face jail time or not.

It's unclear at this time what kind of jail time the Deel spy, Keith O'Brien, may be facing in response to his actions. Often times, as seen in other high profile corporate cases, there are plea deals that have been arranged. Given the full affidavit that O'Brien released, it's likely that there has been certain plea deals put on the table. Like his friend said, "the truth will set you free".

How should I protect my company from a corporate spy?

Part of the reason that the Rippling vs Deel case is so high-profile is that it has many other founders questioning whether something like this could also be undiscovered within their own organizations. However, protecting a company from corporate espionage simply starts from the people within the company. Hiring, managing, and team building with integrity are critical components of building an organization that can prevent corporate espionage but also discover it more quickly if it does occur. While building a transparent organization comes at the risk of being taken advantage of, I believe that it's still more important to treat all team members with trust and assumption of best intentions, rather than take excessive action to prevent a corporate espionage scenario.

Our company Kapwing is still a relatively small startup, and we place a high amount of trust within the people that we hire to do right by their jobs. Like Rippling, we are in a very competitive space, with many other companies, both large and small, actively working to serve creators who are trying to edit video. Beyond the human component, however, we do take a few proactive measures to mitigate the risk of our own trade secrets making their ways into the hands of competitors:

1. Reference Checks: For every hire we make, we do a reference call with previous employers or managers, no matter how excited we are about the candidate. Reputation goes a long way in a small community like Silicon Valley, and it's important to know that a new employee can be trusted with our most sensitive systems. Knowing that another person can vouch for a new employee is important.
2. Exit interviews: When employees choose to leave Kapwing, we conduct an exit interview, whether or not it's on good or bad terms. We'd like that think that our departures have largely been on good terms, but an exit interview can help give a departing member a time to share how they might feel about the company and any potential grievances they might have. This at least lets employees leave on their terms, and potentially can mitigate situations where they go straight to a competitor with bitter intentions.
3. Supporting employees: Actively supporting employees through high quality management and learning more about their lives as a person outside of work goes a long way in building trust and camaraderie. Managers at Kapwing try to adhere to a monthly career checkin, where members of their team can share what is working well with their role, and what other areas they need to feel more supported in their growth. This can help proactively prevent a situation where someone feels the need to share sensitive systems in exchange for money or something else.

Is corporate spying common?

Corporate spying isn't that common, at least when it comes to high profile cases like Rippling vs Deel, but it's likely more common than the numbers say because of unreported cases. There's also many cases happen, but may not have enough evidence to be legally taken to court. There are also many more milder cases. For example, even at Kapwing, we've had instances where employees or even investors have shared our internal-only metrics with competitors. We've also seen competitors copy our code or even our whole website in certain scenarios because they've been able to hack our systems.

My perspective is that corporate espionage on its own is not prevalent enough to merit excessively monitoring for in most startup organizations. However, it's important to ensure that employees can be trusted, and more importantly are properly trained to recognize and surface security leaks when they might occur. Taking basic steps can already go a long way in preventing such an event in your own organization.

I hope this post offers a unique perspective on the Rippling vs Deel case, and I would love to hear your thoughts on whether or not it has affected your approach within your own organizations.