Target: Nando’s Group Holdings Ltd / Nando’s International Holdings
Audit Phase: V-DIG — Digital Forensics / Technology Supply Chain
Audit Date: 2026-05-01
Jurisdiction Coverage: Global (primary focus: UK, South Africa, Israel operations)
Nando’s is a privately held South African-origin quick-service restaurant chain, founded in 1987 in Johannesburg, operating approximately 1,600 restaurants globally under Nando’s Group Holdings Ltd and its subsidiaries including the UK operating entity Chickenland Ltd.23 As a private company registered in South Africa and the UK, Nando’s is not subject to public procurement disclosure obligations and does not publish a formal technology vendor list, annual technology procurement schedule, or equivalent filing identifying software or infrastructure suppliers.2327
Public-facing technology stack signals are limited to front-end web analytics tools identifiable via public technology profiling. Nando’s web properties — including nandos.co.uk, nandos.com, and nandos.co.za — deploy Google Tag Manager, Google Analytics, Facebook Pixel, and Hotjar for analytics and tag management.41 None of these tools are of Israeli origin.
Named data processors disclosed in Nando’s UK privacy policy include Salesforce (CRM and loyalty platform), Google (analytics and cloud services), and Braze (customer engagement platform).1 None of these vendors are of Israeli origin. No additional named processor relationships have been identified in any public Nando’s privacy, cookie, or data protection disclosure reviewed.
Israeli-origin enterprise software vendors — including Check Point Software, Wiz, SentinelOne, CyberArk, NICE Ltd, Verint Systems, and Claroty — have been checked against their respective public-facing customer reference pages and case study libraries.121314151617 No public evidence identified of Nando’s appearing as a named or referenced customer of any of these vendors. No licensing, subscription, integration, or contractual relationship between Nando’s and any Israeli-origin security, analytics, or enterprise software vendor has been confirmed in any public source reviewed.
Procurement and systems integrator relationships are not publicly documented. No named systems integrator engaged by Nando’s for major digital transformation, enterprise resource planning, or infrastructure modernisation has been identified in trade press, NGO databases, or corporate disclosures reviewed in training data. As a consequence, no integrator-mediated deployment of Israeli-origin technology into Nando’s operations can be confirmed or excluded from public sources.
App and loyalty platform back-end infrastructure is partially visible: the Nando’s Android application21 uses identifiable front-end processors, and the UK privacy policy confirms Salesforce and Braze as customer engagement processors.1 Back-end cloud and data analytics vendors beyond these named processors are not publicly listed in a manner permitting Israeli-origin vendor identification.
Point-of-sale and restaurant management systems used across Nando’s global restaurant estate are not publicly documented. Global POS vendors such as Oracle MICROS maintain Israeli development offices, though whether Nando’s uses any such system cannot be confirmed or excluded from available public sources.30 This represents a genuine evidence gap rather than a confirmed negative.
No public evidence identified of any scale-of-dependency mapping, third-party technology audit report, or analyst assessment of Nando’s vendor relationships having been published by any research, trade, or NGO source.
Facial recognition and biometric technology: No public evidence identified of Nando’s deploying facial recognition, biometric identification, behavioural analytics, or gait analysis technology of Israeli origin or any other origin within its restaurant or corporate estate. Israeli-origin vendors active in this space — including AnyVision/Oosto, BriefCam, and Trax Retail — have been checked against their public customer reference pages and case study libraries.91011 None list Nando’s as a named customer. Nando’s has not been named in any trade press article, NGO report, parliamentary record, or investigative journalism piece (reviewed in training data through April 2026) in connection with in-store surveillance or biometric deployment.
Predictive analytics and workforce monitoring: No public evidence identified of Nando’s deploying Israeli-origin predictive analytics, workforce monitoring, or location intelligence platforms. No vendor in this category — including NICE Systems or Verint — lists Nando’s as a customer in publicly available reference materials.1617
In-store analytics and computer vision: No public evidence identified. Source classes checked included vendor customer pages (Trax Retail, BriefCam, Oosto), NGO databases (Who Profits, BDS Movement), South African technology trade press (Techcentral.co.za, MyBroadband), and general investigative journalism databases.910112526
Third-party and managed-service deployment: No public evidence identified of any managed security service provider, enterprise software suite, or technology services company engaged by Nando’s having embedded Israeli-origin surveillance, facial recognition, or behavioural analytics technology into Nando’s operations as part of a bundled or white-labelled service. This represents a genuine evidence gap: MSP relationships for Nando’s have not been publicly named, and any such embedded deployment would be unlikely to surface in public disclosures given Nando’s status as a private company.
Data centre operations in Israel: No public evidence identified of Nando’s operating, leasing, co-locating, or otherwise maintaining data centre or cloud infrastructure within Israel. Nando’s operates a franchise restaurant network in Israel (nandos.co.il),8 but no publicly available information attributes any technology infrastructure or data processing function to those Israeli restaurant operations beyond what is standard for food-service point-of-sale and restaurant management.2223
Project Nimbus and Israeli government cloud contracts: No public evidence identified. Project Nimbus — the Israeli government’s national cloud infrastructure programme — is publicly documented as a contract awarded to Google Cloud and Amazon Web Services.18 Nando’s is a restaurant operator and has no participation in Project Nimbus or any comparable Israeli state-backed cloud infrastructure programme as a provider, subcontractor, or infrastructure tenant in any public record reviewed.
Sovereign cloud and data residency services: No public evidence identified. Nando’s does not operate as a technology or cloud services provider in any jurisdiction and has no documented contractual relationship with Israeli state institutions for digital sovereignty, data residency, or infrastructure resilience services. Cloud services used by Nando’s — to the extent they are publicly identified (Google, Salesforce, Braze)1 — are headquartered in the United States; no Israeli sovereign cloud participation by any of these vendors on Nando’s behalf has been identified in public sources.
Franchise technology and data flows: Nando’s franchise agreements governing technology standards for franchisees — including Israeli franchisees — are not publicly available. Technology requirements imposed on, or technology choices made by, Israeli franchisees (including data routing and storage locations) are undocumented in any public source reviewed.8 This constitutes a genuine evidence gap.
Military and intelligence contracts: No public evidence identified. Nando’s is a quick-service restaurant operator with no known defence, intelligence, or security sector technology contracting activity in any jurisdiction.2327 No public disclosure, NGO report, investigative article, or parliamentary record reviewed in training data through April 2026 associates Nando’s with defence or intelligence sector procurement, either as a supplier or as an entity embedding defence-derived technology into its operations.
Dual-use technology provision: No public evidence identified. Nando’s does not develop, manufacture, or license technology products of any kind; its commercial activities are confined to food service operations and food/beverage brand investments.1227 No researcher, journalist, NGO, or official source has reported Nando’s commercially available products — including its app, loyalty platform, or any operational system — being deployed for military, intelligence, or law enforcement surveillance purposes in Israel or the occupied Palestinian territories.
Offensive cyber and weapons technology: No public evidence identified and outside scope for a restaurant operator. Nando’s has no software development, product engineering, or technology licensing function that could place it within scope of offensive cyber or lethal autonomous systems assessment.
Export control and sanctions exposure: No public evidence identified of export control actions, Bureau of Industry and Security (BIS) enforcement, OFAC sanctions investigations, or equivalent regulatory actions in any jurisdiction involving Nando’s technology-related activities with Israeli state entities or entities in the occupied territories.
AI and machine learning provision to state bodies: No public evidence identified. Nando’s has no publicly documented AI or machine learning product lines and has not been identified in any public source as providing AI systems, training data, or algorithmic tools to any state body in any jurisdiction.
Training data and model development: No public evidence identified. No published regulatory filing, academic study, investigative report, or NGO disclosure associates Nando’s with AI model training using population data, surveillance data, or intercepted communications data from Israel or the occupied Palestinian territories. Nando’s loyalty programme and app generate consumer behavioural data, but no evidence of that data being shared with, licensed to, or used in conjunction with Israeli AI or data analytics ventures has been identified in any public source reviewed.211
Autonomous systems and lethal applications: No public evidence identified and outside scope for a restaurant operator. Nando’s has no robotics, autonomous vehicle, or weapons-adjacent technology programme documented in any public source.
Algorithmic management and operational AI: Nando’s use of algorithmic scheduling, demand forecasting, or supply chain optimisation tools is not publicly documented at a vendor-specific level. The back-end analytics and operations management vendors used beyond the named processors (Salesforce, Braze) identified in the UK privacy policy1 have not been publicly disclosed, and no Israeli-origin vendor has been identified in this context.
Israeli R&D centres and engineering offices: No public evidence identified of Nando’s operating research and development facilities, software engineering offices, innovation laboratories, or technology accelerator programmes within Israel.2422 Nando’s Israel (nandos.co.il) is a restaurant franchise operation; no technology or R&D function has been attributed to it in any public source reviewed, and it does not appear in any Israeli technology sector registry, innovation authority record, or startup ecosystem database in training data.8
Acquisitions and investments in Israeli technology: No public evidence identified of Nando’s acquiring Israeli-origin technology companies or making strategic investments in Israeli technology startups, venture capital funds, or innovation vehicles. Nando’s corporate investment activity documented in public sources is confined to restaurant expansion and food/beverage brand investments, including partial stakes in other restaurant brands in South Africa and the UK.227 No Israeli technology entity appears in any Nando’s corporate filing, impact report, or press release reviewed in training data.
Patent and intellectual property relationships: No public evidence identified of patent portfolios, licensing agreements, or co-development arrangements between Nando’s and Israeli-domiciled entities or research institutions including the Technion, Hebrew University, or the Weizmann Institute. Source classes checked included EPO patent database records, USPTO records, and the Who Profits database, all reviewed against training data.5
South African and global R&D activity: Nando’s has historically maintained a strong presence in South African innovation culture — principally through marketing and brand development — but no public record of technology-sector partnerships, joint R&D programmes, or startup investment in any jurisdiction (including Israel) has been located in any source class reviewed.27282526
Job postings as stack signal: Nando’s technology and IT job listings (accessible via careers.nandos.com)28 represent a secondary signal for inferred technology stack components, but no posting reviewed in training data references Israeli-origin platforms, vendors, or development partnerships as required skills or integration environments.
Who Profits and UN databases: Nando’s does not appear in the Who Profits Research Center company database as a documented corporate actor profiting from Israeli settlement activity or occupation-related operations.5 Nando’s does not appear in the UN OHCHR database (A/HRC/43/71, 2020) of businesses with activities in Israeli settlements.7 No academic studies or United Nations reports specifically addressing Nando’s technology relationships with the Israeli state, Israeli military, or Israeli security services have been identified in training data through April 2026.
Israeli franchise operations — civil society context: Nando’s does operate a franchise network of restaurants in Israel (nandos.co.il).8 This constitutes a commercial food-retail presence, not a technology provision relationship. This fact is noted because it establishes a documented corporate footprint in Israel and is verifiable via Israeli business press.2223 However, no NGO report, academic source, UN body, or investigative journalistic outlet reviewed has cited this presence in the context of technology transfer, occupation-related commercial activity, or supply chain concern within any framework relevant to this audit’s scope.
BDS campaigns: No public evidence identified of organised boycott, divestment, or sanctions campaigns targeting Nando’s specifically on the grounds of technology provision to Israel or Israeli state entities. The BDS Movement’s published target lists and BDS South Africa’s campaign records — reviewed against training data through April 2026 — do not include Nando’s as a named campaign target on technology grounds.620 No documented company response to any BDS campaign exists in training data, consistent with no such campaign having been publicly identified.
UK parliamentary record: Hansard records reviewed in training data do not contain references to Nando’s in connection with Israeli technology relationships, export controls, or occupation-related commercial activity.29
Regulatory and legal actions: No public evidence identified of regulatory inquiries, legal challenges, export control actions, data protection enforcement, or sanctions-related investigations involving Nando’s technology sales, services, or relationships with Israeli state entities or entities in the occupied territories. Source classes checked included UK Companies House enforcement records,23 South African CIPC public records, EU regulatory press, US BIS and OFAC public enforcement actions, and general legal news databases. No enforcement action was identified in any of these source classes.
Data protection and privacy compliance: Nando’s UK privacy policy1 reflects compliance with UK GDPR obligations and discloses named data processors. The Google Play Store listing for the Nando’s UK application21 carries standard data safety disclosures. No data protection regulatory action by the UK Information Commissioner’s Office or any equivalent authority against Nando’s has been identified in training data through April 2026.
https://find-and-update.company-information.service.gov.uk/company/02275476 ↩↩↩↩↩↩
https://find-and-update.company-information.service.gov.uk/company/02173897 ↩↩↩↩
https://builtwith.com/nandos.com ↩
https://bdsmovement.net/act/what-to-boycott ↩
https://www.ohchr.org/en/hr-bodies/hrc/regular-sessions/session43/list-of-reports ↩
https://www.cyberark.com/customers/ ↩
https://www.checkpoint.com/customers/ ↩
https://www.sentinelone.com/customers/ ↩
https://www.wiz.io/customers ↩
https://cloud.google.com/customers ↩
https://customers.microsoft.com ↩
https://bdssouthafrica.com/ ↩
https://play.google.com/store/apps/details?id=com.nandos.android.uk ↩↩↩
https://opencorporates.com/companies?q=nandos&jurisdiction_code=il ↩
https://hansard.parliament.uk/ ↩
https://www.oracle.com/industries/food-beverage/ ↩
