Upstart
Upstart Holdings, Inc. · EFROS US AI Vendor Governance Index entry
Composite governance score
B = strong posture. Deployable in regulated workloads with documented compensating controls.
About this vendor
AI lending platform with CFPB no-action letter history. Operates as a partner for community banks and credit unions that want AI-driven origination without building it internally. CFPB scrutiny + fair-lending audit history is unusually deep.
- Enterprise tier
- Upstart Referral Network, Upstart Auto Retail, Upstart for Banks (white-label AI lending platform)
- Vendor homepage
- https://www.upstart.com
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | Upstart signs DPAs and data-handling agreements with partner banks. BAA-eligible where PHI exposure exists in partner-bank datasets. | Upstart Security |
| Training-data opt-out | Yes | Partner-bank customer data processed under contracted purpose limitation. Cross-bank model training only with consortium consent. | Upstart Privacy |
| US data residency option | Yes | US data residency standard. | Upstart Security |
| SOC 2 Type II report | Yes | Upstart holds SOC 2 Type II. | Upstart Security |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation. | Public posture review |
| NIST AI RMF self-attestation | Partial | Upstart publishes Responsible AI + fair-lending governance documentation. | Upstart Responsible AI |
| Colorado AI Act readiness | Partial | Upstart has publicly engaged on Colorado AI Act readiness for credit decisioning. | Upstart customer documentation |
| HHS-OCR Section 1557 readiness | N/A | Banking-vertical positioning. | Upstart positioning |
| FRB SR 11-7 readiness | Yes | Upstart has CFPB no-action letter history (Sept 2017 + 2020 renewal) — uniquely deep fair-lending audit defensibility. SR 11-7-grade validation documentation maintained for partner-bank examiner needs. | CFPB No-Action Letter history |
| ABA Formal Op 512 readiness | N/A | Banking-vertical positioning. | Upstart positioning |
| Subprocessor list public | Partial | Subprocessor list available to enterprise customers. | Upstart Security |
Trust-center maturity
Mature security documentation; CFPB engagement history is the differentiating compliance artifact. Trust portal less self-serve than enterprise platform vendors.
Source: Upstart Security
Deep dive
Overview
Upstart is uniquely defensible on fair-lending because of the CFPB no-action letter history — no other US AI lending vendor has that paper trail. The white-label partner model lets community banks deploy AI lending under Upstart's compliance umbrella, which is operationally easier than standing up internal validation. The cost is platform dependence: partner banks operate within Upstart's product roadmap rather than building proprietary capability.
Strengths
- CFPB no-action letter history (Sept 2017 + 2020 renewal)
- Fair-lending audit defensibility uniquely deep
- Partner-bank model — origination under Upstart compliance umbrella
- SR 11-7-grade validation maintained for partner needs
Weaknesses
- Platform dependence — partner banks operate within Upstart's roadmap
- No ISO/IEC 42001
- Subprocessor transparency NDA-gated
Best-fit use case
Community banks and credit unions wanting AI-driven personal lending or auto origination without internal model risk management capacity. The CFPB engagement history reduces partner-bank examiner risk.
Avoid when
Banks that want proprietary AI capability or are concerned about platform dependence — building on FICO or licensing Zest AI keeps decisioning closer to in-house.
Operator's take
Deploy Upstart when community banks and credit unions wanting AI-driven personal lending or auto origination without internal model risk management capacity. The CFPB engagement history reduces partner-bank examiner risk. The composite score of 74 (grade B) reflects a defensible posture for regulated US workloads. Skip the vendor when banks that want proprietary AI capability or are concerned about platform dependence — building on FICO or licensing Zest AI keeps decisioning closer to in-house. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Upstart, submit a formal challenge — we re-verify against the source and respond within 14 days.
Other vendors in banking
Same category, scored on the same twelve axes. Useful for head-to-head shortlisting.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.