Digital Audit: Costa Coffee
Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Costa Limited (“Costa Coffee”), a wholly owned subsidiary of The Coca-Cola Company (acquired from Whitbread plc, completed 3 January 2019)1 Registered Office: Costa House, Houghton Hall Business Park, Houghton Regis, Dunstable, United Kingdom Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor press releases and case studies, retail- and contact-centre technology press, NGO research, and regulatory/biometric-policy reporting. All factual claims are drawn from publicly available sources cited in the End Notes.
Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Costa procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, a founder’s military background, or a parent/franchisee’s separate activities are not attributed to Costa. US-entity relationships (e.g. Microsoft, Google, AWS, GEP) are not Israeli-origin and are noted only for completeness. Cyberattacks recorded below were directed at Costa/its parent and are not instances of provision.
Enterprise Technology Stack & Vendor Relationships
Strategic Technology Partnerships (Direction: Costa as customer)
Costa’s principal disclosed enterprise-data relationship is with Vega IT, a Serbian IT consultancy, which rebuilt Costa’s data architecture/data-warehouse after Costa moved its data infrastructure in-house from a prior external vendor.2 The published Vega IT case study lists a stack including Databricks, Azure DevOps, Python, PySpark and Power BI Service; a separate Vega IT engagement automated Costa’s pricing and menu management using Durable Azure Functions, cutting manual work by over 90%.23 These engagements run on the Microsoft Azure ecosystem; Microsoft is a US-headquartered entity, and the case studies do not specify Azure regions or any Israeli infrastructure.23
Costa uses Google Maps Platform (Geocoding API, Places API, Place Autocomplete) and Google Analytics for its store locator and click-and-collect features; Gordon Lucas, Costa’s Global Head of Digital Engineering, is quoted in the Google case study.4 Google is a US-headquartered entity; this is Google Maps Platform, not Google Cloud infrastructure, and no data-residency or Israel detail is disclosed.4
Costa deployed GEP SOFTWARE, a US-headquartered (Clark, New Jersey) AI-driven procurement and supply-chain platform, to automate direct and indirect procurement across roughly 50 countries; Xavier Martinez, Costa’s Chief Supply Chain Officer, is quoted in the GEP announcement.5 No Israeli nexus is identified.5
Costa’s loyalty programme, “Costa Club,” is personalised using decision-intelligence software from HyperFinity (a Leeds, UK-based firm founded 2019), which reports year-on-year growth in Costa’s loyalty base.67 HyperFinity is a UK-origin vendor; no Israeli nexus is identified.67
Israeli-Origin Technology Vendors in the Costa Stack (Direction: Costa as customer)
No public evidence was independently identified confirming a current licensing, subscription, or integration relationship between Costa Coffee Ltd and any Israeli-origin technology vendor. Prior unverified claims - that Costa uses Check Point (co-appearance with a Costa security-team speaker at the CISO Inspired Summit UK 2025 only), NICE (mere co-exhibition at Contact Centre Expo 2025), SentinelOne (Costa named in a Nebula Global Services market report, not stated to be a Nebula/SentinelOne client), CyberArk (via managed-services provider Exponential-e, whose customer list does not name Costa), or Verint (an inference chain via Bellrock/Sabio with no link to Costa) - were tested against primary sources and none establishes a contractual or deployment relationship.8 No public evidence of a confirmed Israeli-origin cybersecurity or analytics deployment at Costa Coffee identified.
Systems Integrators (Franchisee-level)
Infosys / Americana Restaurants (franchisee level): Infosys BPM documents an Accounts Payable on Cloud and agentic-AI invoice-automation engagement with Americana Restaurants - a Middle East/North Africa/Kazakhstan operator of more than 2,600 restaurants whose multi-brand portfolio includes Costa Coffee alongside KFC, Pizza Hut, Krispy Kreme and others.9 The solution is “powered by Microsoft’s AI stack, combining Azure AI Foundry and other LLMs.”9 This is a franchisee-entity engagement using a US (Microsoft) AI stack, not a Costa Coffee Ltd implementation, and no Israeli-origin technology is named.9
Procurement Transparency Constraints
Costa is a private-sector subsidiary not subject to UK public-procurement disclosure obligations. Vendor relationships below the level of named, publicly announced partnerships are not in the public domain, and the full security/IT vendor stack is undisclosed. This is the principal evidence gap in this domain.
Surveillance, Biometrics & Retail Technology
Smart Vending & Demographic Analytics (Costa Express / “Marlow” - confirmed historically)
In 2013 Costa Coffee’s Costa Express unit unveiled the “Marlow” / CEM-200 multi-sensory self-serve vending machine, which used facial-detection technology to estimate customer age and gender for tailored advertising and product recommendation; the system integrated technology from Intel and others and was integrated by Bsquare Corp., with demographic data described as anonymous.1011 Intel is a US-headquartered company (with R&D operations in Israel) and is not an Israeli-origin company. No post-2020 source confirms whether this demographic-analytics capability remains active in current-generation Costa Express hardware; current status is unconfirmed.10
Robotic Kiosks (BaristaBot / Briggo - confirmed historically)
In October 2020 Coca-Cola (via Costa) acquired the Austin, Texas robotic-coffee-kiosk firm Briggo (founded 2008; ~52 automated kiosks), rebranding the platform as Costa BaristaBot.1213 Briggo/BaristaBot is a US company with no identified Israeli origin or Israeli investor base; the BaristaBot brand has since been reported as discontinued.12 No public evidence identified that the kiosk platform routes data through Israeli infrastructure.
Frictionless / Autonomous Checkout (Zippin - not confirmed at Costa)
Zippin (US-headquartered, San Francisco) supplies checkout-free retail technology; its documented UK theme-park deployment (“DUPLO Coffee Co.” at LEGOLAND Windsor) was with Aramark UK, not Costa Coffee.14 No primary source in the current record names Costa Coffee as a Zippin customer. No public evidence of a confirmed Zippin deployment at Costa Coffee identified.
Smart Cabinets (Reckon.ai - not confirmed at Costa)
Reckon.ai (Porto, Portugal; lead investor Iberis Capital) supplies AI smart-cabinet/unattended-retail technology to clients including Carrefour and REWE/Lekkerland.1516 No primary source in the current record names Costa Coffee as a Reckon.ai customer; Reckon.ai is not of Israeli origin. No public evidence of a confirmed Reckon.ai deployment at Costa Coffee identified.
Facial Recognition / Biometric Payments
No public evidence identified of a confirmed facial-recognition or biometric-payment (e.g. PopID) deployment specifically at Costa Coffee outlets.
Retail Execution Analytics / Video Analytics (Trax, BriefCam)
No public evidence identified of a confirmed Trax (Tel Aviv R&D) or BriefCam (Israeli-founded, Canon-owned) deployment at Costa Coffee; prior claims rested on sources that do not name Costa.
Cloud Infrastructure, Data Residency & Sovereign Cloud Participation
Confirmed Cloud / Platform Usage
Costa’s data and application workloads are documented on Microsoft Azure (Databricks, Azure DevOps, Durable Azure Functions, Power BI) via Vega IT,23 and it uses Google Maps Platform for location services.4 Both Microsoft and Google are US-headquartered. No identified source specifies the Azure or Google regions hosting Costa’s data, and no evidence places Costa’s data in Israeli infrastructure.234
Data Centre Operations in Israel
No public evidence identified. No source documents Costa Coffee operating, leasing, or co-locating any data centre or cloud compute infrastructure within Israel.
Project Nimbus
No public evidence identified. Costa Coffee is not named in any Project Nimbus contract documentation or Israeli government procurement record. Project Nimbus is a contract between the Israeli government and Google Cloud and AWS; no direct relationship between Costa and that programme is documented.
Data Sovereignty / Sovereign Cloud Services to the Israeli State
No public evidence identified. Costa is a retail beverage company; no evidence has been found of it providing data-sovereignty, infrastructure-resilience, or cloud services to any state body, including Israeli government entities.
Defence, Intelligence & Security Sector Technology Relationships
Military & Intelligence Contracts
No public evidence identified. No contracts, partnerships, or service agreements between Costa Coffee and the Israeli Ministry of Defence, Israel Defense Forces, Shin Bet, Mossad, or any other Israeli or international defence or intelligence agency have been identified in any public source reviewed.
Dual-Use Technology Deployments
No public evidence identified. No reporting documents Costa’s commercial technology - frictionless checkout, robotic kiosks, vending demographic analytics, or customer-data systems - being deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the occupied Palestinian territories.
Offensive Cyber & Weapons Technology
No public evidence identified. Costa Coffee has no documented involvement in offensive cyber capabilities, exploit tooling, vulnerability research, or digital weapons systems of any kind.
AI, Algorithmic & Autonomous Systems
AI/ML Provision to Israeli State Bodies
No public evidence identified. No AI or machine-learning products or services supplied by Costa Coffee to Israeli government, military, or intelligence entities have been documented.
Training Data & Model Development
No public evidence identified. No public information describes Costa Coffee licensing customer data, behavioural datasets, or operational data to Israeli AI development programmes or Israeli state bodies.
Autonomous & Algorithmic Systems (civilian retail applications)
Costa’s documented AI/autonomous systems are civilian retail applications: HyperFinity decision-intelligence personalisation of the Costa Club loyalty scheme;67 GEP AI-driven procurement automation;5 historic Briggo/BaristaBot robotic kiosks;12 and historic Intel/Bsquare “Marlow” vending demographic analytics.1011 None has any documented connection to defence, lethality, or state-surveillance applications. The franchisee-level Infosys/Americana agentic-AI accounts-payable deployment runs on Microsoft’s Azure AI stack.9
Technology Ecosystem & R&D Footprint
R&D Facilities
Costa opened a UK-based Innovation and Development Centre in Loudwater, England (2024), to test and develop equipment for Costa Coffee Professional’s coffee solutions.17 No public evidence identified of Costa Coffee operating any R&D facility, engineering office, innovation lab, or accelerator within Israel.
Acquisitions & Investments
- Briggo / BaristaBot (2020): US (Austin, Texas) robotic-kiosk firm; no identified Israeli origin or investor base.1213
- The Coca-Cola Company “The Bridge” accelerator (parent-level): The Coca-Cola Company operates a Tel Aviv-based accelerator (“The Bridge”) connecting Israeli startups to its commercial network; this is a parent-company activity with no documented Costa-branded engagement. (Parent-level context; not a Costa Coffee Ltd activity.)
- No direct acquisition or equity investment by Costa Coffee Ltd in any Israeli technology company has been identified in public sources.
Patents & IP
No public evidence identified of Costa Coffee patent portfolios, IP licensing arrangements, or co-development agreements with Israeli-domiciled entities or research institutions in the digital/technology domain.
Civil Society Scrutiny & Regulatory History
Cyber & Data-Breach Incidents (directed at Costa / its then-parent)
- PageUp breach (2018): PageUp, an Australian HR/recruitment SaaS supplier to then-parent Whitbread (operator of Costa Coffee, Premier Inn and others), was breached in 2018, exposing job-applicant and HR data including names, genders, dates of birth, nationalities, email and physical addresses, and telephone numbers; Whitbread confirmed it notified affected parties.18 This predates Coca-Cola’s January 2019 acquisition and was an attack on the company, not provision.118
- Costa Club loyalty breach (2015): A breach affecting a reported ~0.02% of loyalty-card holders’ contact information was disclosed; Costa stated no financial data is held on the loyalty system.19
No Israeli-origin vendor was named in connection with either incident.
NGO Reports & Boycott Campaigns (franchise / parent supply-chain context)
- Who Profits Research Center profiles the Central Bottling Company (CBC / “Coca-Cola Israel”) - majority-owned by David Wertheim (62.99%) - which holds the exclusive Coca-Cola franchise in Israel, operates a regional distribution centre and cooling houses in the Atarot Industrial Zone in occupied East Jerusalem, and whose subsidiary Tabor Winery produces wine from grapes grown on settlement land in the West Bank and the occupied Syrian Golan.20 These are franchisee-level (CBC) facts; Costa Coffee Ltd is a brand within the Coca-Cola family and does not directly operate CBC’s infrastructure.
- Palestine Solidarity Campaign - “Don’t Buy Apartheid” (launched March 2025): PSC named Coca-Cola and its brands - explicitly including Costa Coffee alongside Schweppes, Fanta, Sprite and Innocent - as a strategic boycott target, citing the Israeli franchisee’s operations in an illegal settlement around occupied Jerusalem.2122 This campaign is directed at the Coca-Cola corporate family; no documented campaign targets Costa’s technology vendor relationships as a distinct concern.
Regulatory & Legal Actions (technology domain)
No public evidence identified of regulatory inquiries, export-control actions, sanctions investigations, or legal challenges specifically involving Costa Coffee’s technology procurement, data practices, or services to Israeli state entities. No completed ICO enforcement action specifically naming Costa Coffee’s technology operations has been identified in available sources.
End Notes
Footnotes
-
https://www.foodmanufacturing.com/home/news/13248648/the-cocacola-company-completes-acquisition-of-costa-from-whitbread-plc ↩ ↩2
-
https://www.vegait.co.uk/media-center/business-insights/we-rebuilt-costa-s-data-architecture-to-drive-growth ↩ ↩2 ↩3 ↩4 ↩5
-
https://www.vegaitglobal.com/media-center/business-insights/helping-costa-coffee-reduce-manual-work-by-90-with-automated-pricing-and-menu-management ↩ ↩2 ↩3 ↩4
-
https://www.gep.com/newsroom/costa-coffee-uks-favorite-coffee-shop-successfully-goes-live-geps-ai-driven-software ↩ ↩2 ↩3
-
https://hyperfinity.ai/resources/hyperfinity-x-costa ↩ ↩2 ↩3
-
https://retailtechinnovationhub.com/home/2024/6/10/rtih-innovation-awards-winner-costa-coffee-takes-wraps-off-new-uk-based-innovation-and-development-centre ↩ ↩2 ↩3
-
https://www.infosysbpm.com/insights/client-insights/americana-and-infosys-bpm-pioneering-the-future-of-accounts-payable-with-agentic-ai.html ↩ ↩2 ↩3 ↩4
-
https://www.geekwire.com/2013/smart-coffee-vending-machine-lot/ ↩ ↩2 ↩3
-
https://www.idsvending.com/blog/new-coffee-vending-machine-uses-facial-recognition/ ↩ ↩2
-
https://www.worldcoffeeportal.com/news/costa-coffee-us-to-launch-new-robotic-coffee-kiosk-concept-in-texas/ ↩ ↩2 ↩3 ↩4
-
https://www.bevnet.com/news/2020/costa-coffee-acquires-rebrands-briggo-machine-as-baristabot/ ↩ ↩2
-
https://www.getzippin.com/blog/first-european-theme-park-launches-zippin ↩
-
https://retailtechinnovationhub.com/home/2025/7/29/autonomous-retail-technology-startup-reckonai-bags-51-million-in-funding-round-led-by-iberis-capital ↩
-
https://retailtechinnovationhub.com/home/2024/12/18/fast-fresh-food-lekkerland-se-and-reckonai-team-on-rewe-to-go-autonomous-store-in-german-train-station ↩
-
https://retailtechinnovationhub.com/home/2024/6/10/rtih-innovation-awards-winner-costa-coffee-takes-wraps-off-new-uk-based-innovation-and-development-centre ↩
-
https://www.itpro.com/data-breaches/31437/costa-coffee-and-premier-inn-hit-by-data-breach ↩ ↩2
-
https://www.theregister.com/2015/04/23/costa_coffee_club_members_security_breach/ ↩
-
https://palestinecampaign.org/campaigns/dont-buy-apartheid/ ↩
-
https://www.ethicalconsumer.org/ethical-campaigns-boycotts/palestine-campaigners-target-coca-cola-israeli-fresh-produce ↩