logo

Contents

Tesco Digital Audit

  • Last Updated: May 19, 2026

Audit Phase: V-DIG (Digital Forensics — Cyber-Intelligence & Technology Supply Chain)
Target: Tesco PLC
Compiled: 2026-05-01

Enterprise Technology Stack & Vendor Relationships

Primary Cloud Partnership

Tesco’s most significant confirmed technology dependency is a multi-year strategic partnership with Google Cloud, announced in 2020 and expanded through 2022–2023 12. Google Cloud serves as Tesco’s primary hyperscale cloud platform, with migrated workloads spanning data analytics, supply chain systems, and AI/ML pipelines 318. Tesco’s internal engineering function — documented via the Tesco Technology blog and Capital Markets Day materials — confirms deep integration with Google Cloud-native services alongside open-source tooling including Kafka, Spark, and Kubernetes 423.

Google Cloud is US-headquartered and is not Israeli-origin. However, Google Cloud is a direct party to Project Nimbus, the Israeli government cloud contract — the relationship between Tesco’s tenancy on Google Cloud and Project Nimbus infrastructure is addressed in Section 3.

Israeli-Origin Confirmed Vendor

  • Trigo Vision (Israel): Tesco has a publicly confirmed, ongoing commercial partnership with Trigo Vision, an Israeli computer vision and AI company headquartered in Tel Aviv 67. Trigo’s platform powers Tesco’s “GetGo” checkout-free store format, in operation at London locations from 2021 onward 589. The partnership was confirmed via Trigo press releases and extensively covered in national and trade press. As of 2023–2024 reporting, GetGo locations remain concentrated in London as a pilot-scale deployment; the integration is operationally significant for those store locations but has not been confirmed as estate-wide 56. This represents the sole confirmed Israeli-origin vendor relationship identified in Tesco’s technology stack.

Israeli-Origin Vendors — No public evidence identified

Systematic checks against publicly available customer reference libraries and trade press returned no evidence of commercial relationships between Tesco and the following Israeli-origin or Israeli-founded vendors:

  • Check Point Software Technologies: Check Point’s public customer reference library does not list Tesco 28. No contract or integration identified in trade press or Tesco supplier disclosures.
  • Wiz: Wiz’s customer page does not reference Tesco 29. No relationship identified.
  • SentinelOne: SentinelOne’s public customer case study library does not list Tesco 27. No relationship identified.
  • CyberArk: CyberArk’s public customer reference page does not list Tesco 26. No relationship identified.
  • NICE Ltd (Israel): No verified direct contract between Tesco and NICE Ltd identified. Tesco’s contact centre platform has been reported in trade press as using Genesys-based infrastructure rather than NICE, though this is not formally confirmed via a primary source 24. NICE’s retail customer listing does not confirm Tesco.
  • Verint Systems (Israeli-founded, NYSE-listed): Verint’s customer listings do not reference Tesco 25. No relationship identified.
  • Palo Alto Networks: No public evidence identified of a specific Tesco–Palo Alto Networks contract disclosure.

Customer Data & Analytics

Tesco’s customer data science function is historically anchored in dunnhumby, a company majority-owned by Tesco until 2021 and retained as a strategic analytics partner 21. dunnhumby is UK-headquartered. No Israeli-origin technology layer within dunnhumby’s platform stack has been publicly identified. Tesco’s Clubcard personalisation and demand forecasting analytics operate on Google Cloud infrastructure 318.

Procurement & Integrator Relationships

No public evidence was identified of systems integrators mandating or deploying Israeli-origin technology as part of Tesco digital transformation programmes. Source classes checked include the Tesco supplier portal 22, annual reports 12, and trade press. Tesco’s managed security service provider relationships are not publicly disclosed; the internal cybersecurity vendor stack (endpoint, network, SIEM) is not publicly confirmed in any reviewed source, meaning Israeli-origin security vendors cannot be definitively ruled out for those layers on current public evidence.

Surveillance, Biometrics & Retail Technology

Checkout-Free Technology: Trigo Vision (Israel)

Trigo Vision’s platform deployed in Tesco GetGo stores uses overhead camera arrays and AI-based object recognition to track items customers select, enabling checkout-free payment 567. Trigo has publicly characterised its system as relying on product recognition and anonymised customer movement tracking rather than facial recognition for identity verification, and has stated the system is designed for GDPR compliance, not storing biometric facial data of customers 78.

Independent privacy researchers and the broader UK policy context — including the ICO’s 2022 guidance on retail surveillance technology 10 — have noted that overhead camera systems of this type are technically capable of behavioural tracking and gait analysis even absent overt facial identification. No confirmed ICO investigation specific to Tesco’s GetGo/Trigo deployment was identified in public records as of 2024.

A material evidence gap remains: the contractual data flows between Tesco’s GetGo deployment and Trigo’s Israeli development environment are not publicly disclosed. Whether processed or derived data is shared back to Trigo’s Tel Aviv infrastructure has not been confirmed or denied in any public documentation reviewed.

Facial Recognition — Confirmed Absence from UK Retail Controversy

Tesco has not been named in the UK’s documented controversy over overt facial recognition in retail, which centred on Southern Co-op and its Facewatch deployment 11. No ICO enforcement notice, investigation announcement, or penalty related to Tesco’s biometric or surveillance technology use was identified in reviewed sources as of 2024 10.

Other Israeli Surveillance Vendors — No public evidence identified

No public evidence was identified of any Tesco contract or integration with AnyVision/Oosto, BriefCam, or Trax (Israeli retail shelf analytics). Source classes checked include company customer pages, trade press, and NGO surveillance research databases.

Predictive Analytics & Workforce Monitoring

No public evidence was identified of Tesco deploying Israeli-origin predictive policing, sentiment analysis, social media monitoring, or workforce surveillance tools. No Israeli-origin surveillance technology reaching Tesco indirectly via managed security service providers or bundled enterprise suites was identified in reviewed sources.

Physical Security Infrastructure

UK retail CCTV and physical security surveying, as contextualised in the British Retail Consortium’s 2022 reporting 30, does not specifically identify Tesco’s physical security camera or access control vendors. Tesco’s own public disclosures do not name the vendors supplying physical surveillance infrastructure to its store estate. No Israeli-origin physical security vendor (e.g., Avigilon, Genetec with Israeli components) was confirmed or ruled out on available public evidence.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data Centre Operations in Israel

No public evidence was identified of Tesco operating, leasing, or co-locating data centre infrastructure within Israel. Tesco’s data centre estate is UK-centric; the company’s 2020–2023 strategy documents describe migration of workloads to Google Cloud with UK data residency commitments 124. Source classes checked include Tesco annual reports, data centre trade press, and the Tesco Technology blog 3.

Project Nimbus — Relationship Assessment

Tesco is not a participant in Project Nimbus. Project Nimbus is a contract awarded directly between the Israeli government and Google Cloud and Amazon Web Services 12. Tesco’s position in this structure is that of a downstream commercial customer of Google Cloud, not a provider or party within the Project Nimbus supply chain 13.

No evidence was identified that Tesco’s Google Cloud workloads are routed through or hosted on Project Nimbus-designated infrastructure. Google Cloud operates multiple regional infrastructure environments; Tesco’s documented UK data residency strategy would route workloads through European/UK Google Cloud regions rather than Middle East infrastructure. Nonetheless, the indirect supply-chain relationship — in which Tesco’s primary cloud provider holds a contract with the Israeli government for cloud and AI services to Israeli state and military institutions — is a structural dependency that cannot be fully disaggregated at the tenant level without additional technical documentation not publicly available.

No Tech for Apartheid’s campaign materials, which extensively document the Project Nimbus relationship 13, do not name Tesco as a target entity or cite Tesco’s Google Cloud usage as a specific concern.

Sovereign Cloud & State Technology Provision

No public evidence was identified of Tesco providing data residency services, cloud infrastructure, or sovereign cloud participation to Israeli state institutions. Tesco is a retailer and technology consumer, not a technology provider to state institutions. Source classes checked include Tesco corporate filings 12, Israeli government procurement records (publicly available portions), and trade press.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, or service agreement between Tesco and the Israeli Ministry of Defence, the Israel Defence Forces (IDF), or Israeli intelligence agencies (Mossad, Shin Bet, Unit 8200 alumni network companies). Tesco is a consumer-facing retail and financial services group with no publicly documented defence contracting activity in any jurisdiction. Source classes checked include Israeli defence procurement databases, the UK Government Contracts Finder, trade press, and NGO research publications.

Dual-Use Technology Assessment: Trigo Vision

The Trigo Vision computer vision platform deployed in Tesco GetGo stores is a commercially developed retail analytics technology. No public reporting, official documentation, or researcher publication has identified the Tesco-deployed instance of Trigo’s technology as being repurposed for military, intelligence, or law enforcement surveillance in Israel or occupied territories 567. Source classes checked include NGO technology-and-conflict databases, academic literature on AI and surveillance in conflict zones, and investigative journalism archives. This finding is subject to the evidence gap on contractual data-sharing flows noted above.

No public evidence was identified. This category is not applicable to Tesco’s business profile. Source classes checked include export control licensing databases, UK Export Control Joint Unit (ECJU) records, and academic conflict-technology research.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to State Bodies

No public evidence was identified of Tesco providing artificial intelligence, machine learning, or autonomous decision-support systems to Israeli state, military, or security bodies. Tesco’s documented AI and ML activity is oriented entirely toward consumer-facing and internal retail operations: demand forecasting, Clubcard personalisation, supply chain optimisation, and product recommendation, all operated on Google Cloud infrastructure for internal retail purposes 2318. Source classes checked include the Tesco Technology blog, annual reports 12, and Israeli government AI procurement records.

Retail AI Systems in Operation

Tesco’s Capital Markets Day 2023 materials confirm a strategic programme of AI and data capability investment across pricing, personalisation, and operational efficiency domains 18. These systems are built on Google Cloud infrastructure and informed by the dunnhumby data science capability 21. No Israeli-origin AI tooling or model infrastructure is publicly identified within these deployments.

The Trigo Vision GetGo deployment constitutes the sole Israeli-origin AI system confirmed in Tesco’s operational estate. As described above, this system’s AI functions are directed at in-store product identification and customer basket assembly, not population analytics or security intelligence 567.

Training Data & Model Development

No public evidence was identified of Tesco AI models being trained on civilian population data, intercepted communications, or surveillance-derived datasets connected to Israel or occupied territories. Tesco’s engineering publications describe training pipelines drawing on internal retail transaction data and product catalogues 323. Source classes checked include Tesco engineering publications, academic AI ethics literature, and NGO data governance research.

Autonomous Systems & Lethality

No public evidence was identified. Not applicable to Tesco’s business profile.

Technology Ecosystem & R&D Footprint

Israeli R&D Centres & Engineering Presence

No public evidence was identified of Tesco operating research and development facilities, engineering offices, innovation labs, or accelerator programmes within Israel. Tesco’s R&D and technology engineering functions are publicly documented as concentrated in the United Kingdom, specifically at Welwyn Garden City (corporate HQ) and London technology hub locations 123. Source classes checked include Tesco corporate filings, LinkedIn corporate presence data, and Israeli tech ecosystem directories (Start-Up Nation Central).

Acquisitions & Investments in Israeli Technology

No public evidence was identified of Tesco acquiring an Israeli-origin technology company or making strategic investments in Israeli technology startups or venture capital funds. Tesco’s documented technology-adjacent acquisition and investment activity includes the partial dunnhumby restructuring and various UK retail assets; none involve Israeli-domiciled entities 21. Source classes checked include Crunchbase, M&A trade press, and Tesco investor relations disclosures.

Patent & Intellectual Property Arrangements

No public evidence was identified of significant patent portfolios, licensing agreements, or co-development arrangements between Tesco and Israeli-domiciled entities or Israeli research institutions (Technion, Hebrew University, Weizmann Institute). Source classes checked include UK IPO, USPTO, and EPO patent databases.

Open Source & Engineering Community Footprint

Tesco maintains an active public GitHub presence 23 and the Tesco Technology Medium publication 3, documenting open-source tooling use. No Israeli-origin open-source frameworks, libraries, or co-development contributions referencing Israeli institutional affiliations were identified in these public repositories.

Supplier Ecosystem Concentration

Tesco’s disclosed supplier ecosystem is UK and EU-centric. The primary confirmed technology dependencies with cross-jurisdictional exposure are: (1) Google Cloud (US, with Project Nimbus exposure noted); (2) Trigo Vision (Israel, confirmed operational partnership). No additional Israeli-origin entities were confirmed in the third-party supplier ecosystem on available public evidence. The Responsible Business Report 17 and Modern Slavery Statement 16 address supply chain governance in general terms but do not provide technology vendor-level detail relevant to this audit.

Civil Society Scrutiny & Regulatory History

NGO Research & Campaign Activity

  • Palestine Solidarity Campaign (PSC) / BDS Movement: PSC and BDS National Committee published boycott materials as of 2023–2024 reference Tesco 1415. However, the cited grounds in publicly available PSC campaign material relate primarily to Tesco’s retail stocking of Israeli-origin produce and consumer goods — a commercial sourcing matter distinct from technology vendor relationships or digital supply chain links 15. No dedicated NGO technology audit of Tesco’s digital supply chain in the context of Israeli technology relationships was identified.
  • No Tech for Apartheid: This campaign focuses specifically on Google Cloud and Amazon AWS as direct Project Nimbus contractors 13. Tesco is not named in No Tech for Apartheid campaign materials.
  • Privacy International / Big Brother Watch: UK digital rights organisations have not published investigations specifically targeting Tesco’s technology relationships with Israeli vendors. Big Brother Watch’s documented facial recognition campaign centred on Southern Co-op and Facewatch 11, not Tesco.

Boycott & Divestment Campaigns

Consumer-level BDS campaign materials reference Tesco in the context of retail product stocking (Israeli produce, SodaStream, and similar), not technology supply chain relationships 1415. No dedicated technology-divestment campaign specifically targeting Tesco’s Trigo Vision relationship or other digital vendor relationships was identified. No technology-specific BDS enforcement campaign against Tesco has been identified on the evidence reviewed.

  • ICO — Biometrics/Surveillance: The ICO’s 2022 guidance on facial recognition in retail 10 was issued in direct response to the Southern Co-op/Facewatch deployment 11, not Tesco. No ICO enforcement notice, investigation announcement, or penalty related to Tesco’s use of biometric or surveillance technology was identified as of 2024.
  • FCA / Tesco Bank Cyberattack (2018): The Financial Conduct Authority investigated and fined Tesco Bank £16.4 million following the November 2016 cyberattack on customer accounts 1920. This is a UK financial services cybersecurity regulatory action entirely unrelated to Israeli technology relationships or supply chain matters.
  • ICO — Tesco Bank (2018): The ICO also examined the 2016 Tesco Bank incident in the context of data security obligations 19. Again, no Israeli technology supply chain element was present.
  • Export Control & Sanctions: No export control actions, sanctions-related investigations, or regulatory inquiries involving Tesco’s technology sales or services to Israeli state entities were identified. Source classes checked include UK ECJU licensing records, US BIS, EU dual-use export databases, and the ICO enforcement register.

Evidence Gaps Relevant to Civil Society & Regulatory Assessment

The following material gaps limit the completeness of this section and represent areas where the absence of evidence should not be read as a clean finding without further investigation:

  • Tesco’s full internal cybersecurity vendor stack remains undisclosed; Israeli-origin security tooling cannot be definitively ruled out for endpoint, SIEM, or network layers.
  • Contractual data flows between Tesco’s GetGo deployment and Trigo’s Israeli infrastructure are not publicly disclosed and have not been examined by ICO or other regulators in any published proceeding identified.
  • Tesco’s MSSP relationships are not publicly disclosed.
  • Whether dunnhumby’s analytics platform incorporates Israeli-origin data science tooling is not publicly confirmed.
  • The precise current scale of the Trigo GetGo deployment (store count, data volume processed) beyond the 2023 London pilot characterisation is not confirmed in reviewed sources.

End Notes

  1. https://www.tescoplc.com/investors/reports-and-presentations/annual-report-2024/ 

  2. https://www.tescoplc.com/investors/reports-and-presentations/annual-report-2023/ 

  3. https://medium.com/tesco-technology 

  4. https://cloud.google.com/blog/products/retail/tesco-chooses-google-cloud 

  5. https://www.thegrocer.co.uk/technology/tesco-getgo-checkout-free 

  6. https://www.trigoretail.com/news/tesco-partnership 

  7. https://techcrunch.com/2022/06/22/trigo-vision-raises-100m/ 

  8. https://www.bbc.co.uk/news/business-55584181 

  9. https://www.theguardian.com/business/2021/jan/07/tesco-trials-amazon-style-checkout-tesco-express 

  10. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/06/facial-recognition-in-retail/ 

  11. https://www.bbc.co.uk/news/technology-62329256 

  12. https://www.theguardian.com/commentisfree/2021/oct/12/google-amazon-workers-oppose-project-nimbus-israeli-military-contract 

  13. https://www.notechforapartheid.com/ 

  14. https://bdsmovement.net/technology 

  15. https://www.palestinecampaign.org/boycott/ 

  16. https://www.tescoplc.com/sustainability/documents/modern-slavery-statement-2023/ 

  17. https://www.tescoplc.com/sustainability/reports/ 

  18. https://www.tescoplc.com/investors/reports-and-presentations/capital-markets-day-2023/ 

  19. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2018/tesco-bank/ 

  20. https://www.bbc.co.uk/news/business-37912617 

  21. https://www.dunnhumby.com/about/ 

  22. https://www.tescoplc.com/suppliers/ 

  23. https://github.com/tesco 

  24. https://www.nice.com/customers/retail 

  25. https://www.verint.com/customers/ 

  26. https://www.cyberark.com/customers/ 

  27. https://www.sentinelone.com/customers/ 

  28. https://www.checkpoint.com/about-us/customer-success/ 

  29. https://www.wiz.io/customers 

  30. https://brc.org.uk/reports/cctv-retail-2022 

Related News & Articles