Audit Phase: V-DIG (Digital Forensics — Technology Supply Chain)
Prepared: 2026-05-01
Scope: Zara, operating under Inditex S.A. (Industria de Diseño Textil, S.A.), Arteixo, A Coruña, Spain
Wiz (Cloud-Native Application Protection Platform)
Wiz is publicly documented as an Inditex cloud security vendor.1 Wiz was founded in Israel by Assaf Rappaport, Yinon Costica, Ami Luttwak, and Roy Reznik — all alumni of the Microsoft Israel R&D centre following the Adallom acquisition — and all carry documented IDF service backgrounds per Israeli technology press. Wiz is incorporated in New York but maintains substantial Israeli R&D operations. The company raised $1 billion at a $12 billion valuation in 2024.2 The deployed function at Inditex is agentless cloud security scanning across multi-cloud environments (AWS, Azure, GCP), providing continuous visibility into cloud workload vulnerabilities, misconfigurations, and exposure paths. This is a critical-layer deployment: it touches cloud infrastructure underpinning Inditex’s Inditex Open Platform (IOP) and e-commerce operations globally.3 Relationship status: reported as active as of 2024.
Torq (Security Hyperautomation / SOC Orchestration)
Torq’s public trust and marketing materials have referenced Zara, Bershka, and Pull & Bear — all Inditex brands — as customers.45 Torq was co-founded by Ofer Smadari, Leonid Belkind, and Eldad Livni, previously co-founders of Luminate Security (acquired by Symantec); the founders are identified in Israeli technology press profiles as Unit 8200 alumni. The deployed function is no-code security workflow automation, integrating with endpoint detection, identity management, and network security tooling to orchestrate SOC incident response. Torq reported record-breaking EMEA performance in Q3 2024, with Inditex brands cited in that growth context.5 Relationship status: reported as active as of 2024.
Claroty (OT/ICS/XIoT Security)
Claroty’s public case study library has listed Inditex in the retail and logistics vertical for operational technology (OT) visibility and threat detection.6 Claroty was incubated by Team8, the venture foundry established by Nadav Zafrir (former commander, Unit 8200) alongside other senior Israeli intelligence alumni. Claroty subsequently established independent global headquarters in New York.7 The deployed function covers asset discovery and anomaly detection for industrial control systems and logistics automation hardware — relevant to Inditex’s highly automated distribution centres and production facilities. Relationship status: listed as an active case study as of 2024; the ongoing scope and contract terms are not publicly disclosed.
Combined Vendor Assessment
Where corroboration from training-data sources exists, Inditex deploys Israeli-origin security technology across three distinct layers simultaneously: cloud infrastructure security (Wiz), security operations orchestration (Torq), and physical/OT infrastructure security (Claroty). This represents layered integration across cloud, cyber-operations, and logistics hardware — not a peripheral or single-point deployment. The precise scope (number of cloud workloads covered, number of Claroty-monitored facilities) is not quantified in any public source reviewed.3
The following vendor relationships were asserted in prior research but could not be independently corroborated from training-data knowledge through any corporate filing, press release, trade report, or case study:
Check Point Software Technologies (Tel Aviv; founder Gil Shwed, documented Unit 8200 background): The assertion of an Inditex deployment using Check Point’s Infinity architecture, including CloudGuard and Harmony Mobile, is not independently corroborated. Check Point is among the most widely deployed network security platforms globally; the claim is plausible but plausibility is not verification. Check Point’s documented partnership with Wiz8 and its 2024 acquisition of the AI security firm Lakera9 are noted as general ecosystem context. No public evidence of the specific Inditex–Check Point relationship has been identified.
CyberArk (Petah Tikva; dominant Privileged Access Management vendor): A CyberArk–Wiz partnership for cloud identity visibility is publicly documented.10 No specific Inditex–CyberArk case study, contract announcement, or financial filing has been independently located. No public evidence of the specific Inditex–CyberArk relationship has been identified.
SentinelOne (Mountain View, CA; founded by Tomer Weingarten and Almog Cohen with documented Unit 8200 backgrounds): A Wiz–SentinelOne exclusive partnership is publicly documented.11 However, a partnership between two vendors does not confirm that a shared customer deploys both. No direct Inditex–SentinelOne relationship has been identified in any public source reviewed.
NICE CXone (Ra’anana, Israel; Unit 8200 heritage described in corporate histories): NICE CXone is a widely deployed contact-centre management platform in European retail.12 The assertion of an Inditex–NICE CXone deployment has not been corroborated by any specific case study, press release, or filing. No public evidence of the specific Inditex–NICE relationship has been identified.
Verint Systems (Melville, NY; spun out from Comverse Technology, Israeli-rooted; workforce engagement management and customer experience intelligence):13 No specific Inditex–Verint case study or filing has been identified. No public evidence of the specific Inditex–Verint relationship has been identified.
Palo Alto Networks (founded by Nir Zuk, Unit 8200 alumnus): No Inditex–Palo Alto Networks relationship has been identified in any public source reviewed. No public evidence identified.
Publicis Sapient is publicly documented as a digital transformation partner for Inditex, with involvement in the development and deployment of the Inditex Open Platform (IOP).14 This relationship is referenced in Publicis Sapient’s own case study materials and retail technology trade press.3 Whether Publicis Sapient explicitly recommended, procured, or integrated specific Israeli-origin security tools as part of the IOP engagement is not confirmed in any public source reviewed. The IOP provides the integration layer for Inditex’s multi-cloud architecture and omnichannel retail operations. No public evidence has been identified linking the Publicis Sapient engagement specifically to Israeli-origin technology procurement decisions.
Zara’s item-level RFID deployment is among the most extensively documented cases of RFID adoption in global retail.1516 Every garment carries an RFID chip enabling real-time inventory tracking across manufacturing, logistics, and store operations. The primary hardware technology partner documented in trade press for Inditex’s RFID rollout has been Tyco Retail Solutions / Sensormatic, now part of Johnson Controls.15
Sensormatic markets an “OrbitAI” Re-ID technology for retail traffic analysis — enabling re-identification of individuals across multiple camera views without facial recognition, using body shape and clothing attributes.17 Whether Inditex specifically licenses the Re-ID module as distinct from standard people-counting analytics is not confirmed in any public source reviewed. The underlying Sensormatic–Inditex RFID relationship for inventory management is widely reported in retail trade press; the specific deployment of Re-ID surveillance analytics by Inditex is not confirmed.
Tyco’s acquisition of Visonic (Tel Aviv-based wireless security sensor company) is documented.18 Visonic’s technology operates in the intrusion detection and alarm sensor segment. The inferential chain that Visonic technology is therefore embedded in Zara’s retail loss prevention infrastructure — via Tyco’s portfolio ownership — is not supported by any specific product integration document reviewed. Status: inferential, not verified by independent source.
ShopperTrak (Chicago-origin people-counting and traffic analytics, now within Sensormatic) is used by large-footprint retailers for store traffic intelligence. ShopperTrak’s origins are US-based; no Israeli R&D hub for ShopperTrak has been identified in any source reviewed.17
Checkpoint Systems (Thorofare, NJ; subsidiary of CCL Industries) manufactures RFID and EAS (Electronic Article Surveillance) tags and is a hardware supplier in the retail loss prevention sector. An assertion of a significant Checkpoint Systems R&D presence in Israel could not be confirmed from training-data sources. The company maintains sales presence in Israel but an Israeli R&D centre for RFID technology is not documented in available sources. Status: not verified.
Trigo (Tel Aviv, founded 2018) develops computer vision systems for autonomous retail checkout, including shelf analytics and frictionless payment. No verified Inditex–Trigo contract, pilot agreement, or publicly disclosed commercial engagement has been identified. No public evidence identified.
No verified Inditex deployment of the following Israeli-origin retail computer vision or facial recognition platforms has been identified:
No verified use by Inditex of Israeli-origin predictive analytics, social media monitoring, or workforce surveillance tools — beyond the unverified NICE/Verint claims noted in the Enterprise Technology Stack section — has been found in any source reviewed. No public evidence identified for this sub-category.
No evidence has been found of Israeli-origin surveillance technologies reaching Inditex through third-party managed security services, bundled enterprise suites, or white-labelled solutions via integrators. No public evidence identified for indirect third-party surveillance technology pathways.
Inditex operates a multi-cloud architecture underpinned by the Inditex Open Platform (IOP), with AWS, Google Cloud, and Microsoft Azure all referenced in technology and trade press coverage of the IOP programme.314 The IOP is described as an event-driven, API-first integration platform enabling real-time inventory management, demand forecasting, and omnichannel order fulfilment across Zara and Inditex’s eight brands. Inditex’s principal data centre infrastructure is based at or near its Arteixo (A Coruña) headquarters, supplemented by third-party cloud providers.
Project Nimbus is a documented Israeli government cloud contract, originally awarded at approximately $1.2 billion to Google Cloud and AWS in 2021.19 Google Cloud opened its Israel cloud region (me-west1) in 202220 and AWS opened its Israel (Tel Aviv) region (il-central-1) in 2023.21 Both regions are available to commercial customers as well as to the Israeli government.
Inditex operates Zara’s Israeli e-commerce operations (zara.co.il) through its franchise partner Trimera Brands. Whether Inditex or Trimera routes zara.co.il workloads through AWS il-central-1 or Google Cloud me-west1 is not disclosed in any public filing, cloud provider announcement, or technical disclosure reviewed. The inference that Inditex “almost certainly” uses these regions for latency or compliance reasons is not supported by documentary evidence. No public evidence of Inditex participation in Project Nimbus — directly or indirectly via cloud region selection — has been identified.
No evidence has been found that Inditex operates, leases, or co-locates its own data centre infrastructure within Israel. No evidence of Israeli data residency requirements imposed on Inditex’s franchise operations has been found in public disclosures. No public evidence identified.
Inditex is a consumer of cloud services, not a cloud service provider. The question of sovereign cloud participation as a provider is not applicable. As a cloud consumer, no evidence of Inditex entering data-sharing or infrastructure-support agreements with Israeli state bodies in connection with cloud service usage has been found. No public evidence identified.
Inditex S.A. is a fashion retail group. No contracts, partnerships, service agreements, or procurement relationships between Inditex and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), the Shin Bet (ISA), Mossad, or any Israeli military or intelligence body have been identified in any public source reviewed. No public evidence identified.
No instances of Inditex’s commercial technology — including its RFID infrastructure, e-commerce platform, demand forecasting systems, or logistics automation — being reported or documented as deployed for military, intelligence, or law enforcement surveillance purposes in Israel or the occupied Palestinian territory have been found. No public evidence identified.
Three confirmed or corroborated Inditex technology vendors (Wiz, Torq, Claroty) were founded by or incubated through individuals or institutions with documented Unit 8200 or senior Israeli military intelligence backgrounds. This represents a structural pattern of Israeli intelligence-ecosystem origin among confirmed security vendors, not a direct contractual or operational relationship between Inditex and Israeli state intelligence bodies. The significance of this pattern is an analytical question that falls within civil society and risk-framework analysis; no direct Inditex–Israeli intelligence operational relationship is asserted.
Inditex is not a technology developer, arms manufacturer, or dual-use technology vendor. No evidence of any involvement in offensive cyber capabilities, zero-day exploit development, signals intelligence tools, or digital weapons systems has been found. Not applicable; No public evidence identified.
Inditex deploys artificial intelligence and machine learning across core commercial functions, as disclosed in annual reports and technology press coverage:223
These are commercially disclosed functions with no identified connection to Israeli state, military, or security body use cases.
No provision of Inditex-developed AI systems, models, datasets, or algorithmic tools to Israeli state, military, intelligence, or law enforcement bodies has been found in any source reviewed. No public evidence identified.
No publicly reported instances of Inditex AI models being trained on, or drawing from, surveillance-derived datasets originating in Israel or the occupied Palestinian territory have been found. No public evidence identified.
The unverified vendor claims in the Enterprise Technology Stack section (Check Point AI acquisitions, SentinelOne AI-driven EDR) carry indirect relevance here. Check Point’s 2024 acquisition of Lakera (AI security for LLM applications)9 and Check Point’s Lacoon Mobile Security acquisition23 represent Israeli-origin AI security capabilities within Check Point’s product portfolio. Whether Inditex deploys these specific products remains unverified as noted above.
Not applicable to Inditex’s business domain. No public evidence identified.
No evidence that Inditex operates, funds, or co-locates R&D facilities, engineering offices, innovation laboratories, or accelerator programmes within Israel has been found in any annual report, technology press article, or corporate disclosure reviewed. Inditex’s principal technology and R&D operations are based at its Arteixo (A Coruña, Spain) headquarters complex, with additional technology hubs in Barcelona and other European cities.2425 No public evidence identified.
No Inditex acquisitions of Israeli-origin or Israeli-founded technology companies have been identified in training-data sources covering Inditex’s corporate development activity. Inditex’s disclosed acquisitions have been in fashion retail, logistics, and e-commerce fulfillment domains, not in technology companies with Israeli origins. No public evidence identified.
No Inditex corporate venture investments in Israeli startups, participation in Israeli technology accelerators (e.g., Microsoft Ventures Israel, Google for Startups Israel), or strategic investment relationships with Israeli venture foundries (including Team8) have been identified. No public evidence identified.
No significant patent portfolios, licensing agreements, or co-development arrangements between Inditex and Israeli-domiciled entities or Israeli research institutions (Technion – Israel Institute of Technology, Hebrew University of Jerusalem, Weizmann Institute of Science) have been found in any source reviewed. Inditex’s patent portfolio is concentrated in fashion design, manufacturing process, and retail technology domains developed primarily through its internal technology organisation in Spain. No public evidence identified.
Inditex operates in Israel through Trimera Brands, an Israeli franchise partner, as disclosed in Inditex’s franchise model documentation.26 This is the standard Inditex market-entry model for markets where it does not operate directly; the franchise agreement covers store operations, brand licensing, and retail format. The Israeli franchise relationship is commercially documented and is the proximate cause of the civil society campaigns described in the section below. The technology infrastructure operated by Trimera within Israeli stores (POS systems, payment processing, EAS/RFID tagging) is not separately disclosed in any public document reviewed.
Who Profits Research Center, an Israeli NGO that documents corporate involvement in the Israeli occupation of Palestinian territory, maintains a profile on Inditex.27 The primary basis for Inditex’s inclusion in the Who Profits database relates to its franchise-based commercial operations in Israel through Trimera Brands and the associated commercial activity in the Israeli market. The Who Profits profile does not specifically analyse Inditex’s technology vendor supply chain as a ground for inclusion.
No UN Special Rapporteur reports, Human Rights Council documentation, or peer-reviewed academic studies specifically addressing Inditex’s technology supply chain in relation to Israeli state operations, military surveillance infrastructure, or the occupied Palestinian territory have been identified. No public evidence identified for technology-supply-chain-specific UN or academic scrutiny.
A documented and sustained boycott campaign against Zara emerged publicly in October 2022, triggered by an event hosted by the Israeli franchise operator Trimera Brands. The chairman of Trimera, identified in reporting as connected to the event, organised a gathering that included Itamar Ben Gvir — at that time a member of the Knesset for Otzma Yehudit who had previously been convicted of supporting a terrorist organisation, and who was subsequently appointed Minister of National Security in December 2022.282930
The documented consequences included:
Inditex’s documented response (October 2022): Inditex issued a public statement clarifying that Israeli stores are operated by an independent franchise partner and that Inditex does not endorse or support any political party or movement. Inditex did not announce termination of the franchise agreement, and the franchise relationship continued.2829
The BDS boycott campaign against Zara remained active as of mid-2024, with its stated grounds expanded to include Inditex’s continued commercial operations in Israel following the escalation of the Gaza conflict from October 2023.32
No technology-specific boycott or divestment campaign targeting Inditex’s Israeli-origin technology vendor relationships — as distinct from the franchise and commercial-operations campaign described above — has been identified in any source reviewed.
No regulatory inquiries, legal challenges, export control investigations, sanctions-related proceedings, or competition authority actions involving Inditex’s technology procurement, sale of technology services to Israeli state entities, or data handling practices in connection with Israeli operations have been found. No public evidence identified.
Inditex is a consumer of technology, not a technology exporter to Israel. The standard export control frameworks that might apply to dual-use technology vendors (Wassenaar Arrangement, US EAR/ITAR, EU Dual-Use Regulation) are not applicable to Inditex’s procurement of commercial security software. No export control exposure of the type applicable to technology vendors has been identified.
No regulatory action by the Spanish Agencia Española de Protección de Datos (AEPD), the European Data Protection Board (EDPB), or any national data protection authority specifically in connection with Inditex’s Israeli operations, data transfers to Israeli cloud regions, or surveillance technology deployments has been identified. Note: Inditex did receive an AEPD fine in 2019 relating to employee monitoring practices at its Zara España operations — this is a separate matter predating the technology vendor relationships documented here and does not relate to Israeli operations.
https://www.wiz.io/customers ↩
https://techcrunch.com/2024/05/07/wiz-raises-1b-at-12b-valuation/ ↩
https://www.reuters.com/business/retail-consumer/inditex-bets-technology-keep-growing-2023-09-13/ ↩↩↩↩↩
https://securitytrust.torq.io/ ↩
https://claroty.com/resources/case-studies ↩
https://claroty.com/press-releases/claroty-establishes-global-headquarters-in-new-york ↩
https://www.checkpoint.com/press-releases/check-point-enters-next-level-of-strategic-partnership-with-wiz-to-deliver-integrated-cnapp-and-cloud-network-security-solution/ ↩
https://www.calcalistech.com/ctechnews/article/rj5bc1vige ↩↩
https://www.cyberark.com/press/cyberark-and-wiz-team-up-to-provide-complete-visibility-and-control-for-cloud-created-identities/ ↩
https://www.wiz.io/blog/wiz-and-sentinelone-announce-exclusive-partnership-to-deliver-end-to-end-security ↩
https://www.nice.com/products/cxone ↩
https://www.verint.com/workforce-engagement/ ↩
https://www.publicissapient.com/industries/retail/inditex-case-study ↩↩
https://supplychaindigital.com/technology/zaras-secret-success-rfid-technology ↩↩
https://www.mckinsey.com/industries/retail/our-insights/how-zara-manages-its-supply-chain ↩
https://www.sensormatic.com/landing/orbitai-re-id-campaign-home ↩↩
https://br.advfn.com/bolsa-de-valores/nyse/JCI/share-news/49183251/visonic-ltd-to-be-acquired-by-tyco-international ↩
https://www.reuters.com/world/middle-east/google-amazon-win-12-bln-israel-cloud-contract-2021-04-20/ ↩
https://cloud.google.com/blog/products/infrastructure/google-cloud-region-in-israel-is-now-open ↩
https://aws.amazon.com/blogs/aws/aws-announces-israel-tel-aviv-region/ ↩
https://www.inditex.com/en/investors/investors-relations/annual-reports ↩
https://www.checkpoint.com/press-releases/check-point-acquire-lacoon-mobile-security-industrys-advanced-mobile-threat-prevention/ ↩
https://www.inditex.com/itxcomweb/api/media/inline/00c9d9b4-3b2c-4e5c-b3b3-5b6d6e0e8e3a/annual_report_2023.pdf ↩
https://www.inditex.com/itxcomweb/api/media/inline/annual_report_2022.pdf ↩
https://www.inditex.com/en/our-group/our-model/franchise ↩
https://www.whoprofits.org/company/inditex ↩
https://www.timesofisrael.com/arabs-burn-zara-clothes-call-for-boycott-after-franchisee-hosts-ben-gvir-event/ ↩↩↩
https://www.al-monitor.com/originals/2022/10/zara-israel-faces-boycott-after-boss-linked-extreme-right ↩↩
https://english.elpais.com/international/2022-10-24/palestinian-sharia-judge-issues-zara-boycott-fatwa-over-event-supporting-far-right-politician.html ↩↩
https://bdsmovement.net/news/boycott-zara-dressing-apartheid-and-genocide ↩
