Digital Audit: Krispy Kreme, Inc.

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Krispy Kreme, Inc. (NASDAQ: DNUT) Registered Address: 2116 Hawkins Street, Charlotte, North Carolina 28203, United States Audit Date: June 2026 Evidence Base: Vendor case-study and partner disclosures, technology-stack profiling databases, SEC and state-regulator breach reporting, trade and security press, and NGO/BDS materials. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Krispy Kreme procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: a vendor’s other clients, its founders’ backgrounds, or a parent group’s separate activities are not attributed to Krispy Kreme. US-entity relationships (e.g. Oracle, Microsoft, SoundHound) are not Israeli-origin and are noted only for completeness. Cyberattacks suffered by the company are recorded as events done to Krispy Kreme, not as provision.

Enterprise Technology Stack & Vendor Relationships

Disclosed Enterprise Vendors (Direction: Krispy Kreme as customer)

Technology-stack profiling identifies Krispy Kreme as a customer of several named, non-Israeli enterprise software vendors: Oracle E-Business Suite (financial/ERP, implemented circa 2013), ECI Macola (manufacturing/distribution ERP on an AS400 platform), and iCIMS Recruit (applicant tracking, implemented circa 2014).¹ These are US-origin enterprise vendors and the relationship direction is Krispy Kreme as customer.

For managed network and IT services, Krispy Kreme uses HighPoint as a managed-services provider; HighPoint’s own case study states it provides “Meraki Infrastructure Management: full support across U.S. stores” (Cisco Meraki, US-origin) and “Firewall Management: proactive monitoring and patching of Palo Alto firewalls,” alongside vendor management, telecom support, and vulnerability patching.² Palo Alto Networks is a US-headquartered company (its founder is of Israeli origin, but the corporate entity is US-domiciled and this is recorded for completeness only).² For treasury and cash management, Krispy Kreme is a customer of Trovata (US-origin), which provides API-based, cloud bank-data-lake treasury analytics in place of a legacy treasury management system.³ For omnichannel marketing and loyalty, Krispy Kreme uses SAP Emarsys / SAP Engagement Cloud (SAP is German-origin; Emarsys was Austrian-founded), documented for its ANZ operations.⁴ Its UK loyalty programme has been delivered with HTK (a UK-origin customer-engagement vendor).⁵

Israeli-Origin Technology Vendors in the Krispy Kreme Stack (Direction: Krispy Kreme as customer)

No public evidence identified. None of the named vendors in Krispy Kreme’s disclosed stack (Oracle, ECI, iCIMS, Cisco Meraki, Palo Alto Networks, HighPoint, Trovata, SAP Emarsys, HTK, SoundHound) is an Israeli-origin company.¹²³⁴⁵ Technology-stack profiling of Krispy Kreme entities did not surface a named Israeli-origin software supplier.¹

Israeli-Origin Cybersecurity Vendors

No public evidence identified confirming that Krispy Kreme holds a licensing, subscription, or integration relationship with any Israeli-origin cybersecurity vendor - including Check Point, Wiz, CyberArk, SentinelOne, Verint, NICE, or Claroty.⁶ General reporting confirms these are Israeli-founded firms (several with Unit 8200-veteran founders),⁶ but none was linked to Krispy Kreme’s environment in any independently sourced record reviewed. Reporting on the November 2024 cyberattack (below) named US-origin firewall and managed-service vendors (Palo Alto, Cisco Meraki via HighPoint) and unnamed external “cybersecurity experts,” and did not surface any Israeli security product in Krispy Kreme’s stack.²⁷

Procurement Transparency Constraints

Krispy Kreme’s SEC filings describe technology investment at a high level and do not enumerate the full IT and security vendor stack. Vendor relationships below the level of named, publicly profiled engagements are not in the public domain. This is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

Facial Recognition & Biometric Identification

No public evidence identified of Krispy Kreme deploying facial-recognition, biometric-identification, gait-analysis, or behavioural-analytics technology in its retail, manufacturing, or distribution facilities. Searches surfaced facial-recognition deployments by other US food/grocery retailers (e.g. Kroger), but none linked to Krispy Kreme.⁸ (Separately, “biometric data” appears in the categories of stolen employee data from the November 2024 breach - see below - which concerns data held about employees, not surveillance technology deployed by the company.)⁹

Israeli-Origin Surveillance / Biometric Vendors

No public evidence identified that Krispy Kreme has deployed facial-recognition, biometric, or in-store behavioural-analytics technology of Israeli origin (e.g. Oosto/AnyVision, BriefCam, Trigo, Trax). No public source links any of these vendors to Krispy Kreme.¹⁸

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

No public evidence identified of Krispy Kreme using Israeli-origin predictive-analytics, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools.

In-Store Analytics, Loss Prevention & Third-Party “Doors”

Krispy Kreme distributes through company shops, franchises, and third-party “Doors” (grocery and retail hosts). Third-party loss-prevention or CCTV-analytics sub-contractors at store or host level are not publicly disclosed, and it cannot be confirmed or excluded from public evidence whether any such sub-contractor deploys Israeli-origin technology within its own platform. No public evidence identified linking any to Krispy Kreme.¹

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Hyperscaler & Cloud Relationships

Technology-stack profiling indicates Krispy Kreme uses commodity cloud/CDN infrastructure components - reporting cites AWS Route 53 (DNS) and Cloudflare CDN among its consumer-web technologies - and multiple infrastructure-as-a-service providers for application hosting.¹¹⁰ AWS and Cloudflare are US-origin. No public evidence identified of a Microsoft Azure or Google Cloud primary-platform relationship named in a case study.¹ These are commodity US-origin services with no disclosed Israel nexus.

Data Centre Operations in Israel

No public evidence identified of Krispy Kreme operating, leasing, or co-locating data-centre or server infrastructure within Israel.¹

Project Nimbus & Israeli State Cloud Infrastructure

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; Krispy Kreme is neither a participant nor a sub-provider. No public evidence identified of Krispy Kreme involvement in any Israeli state-backed digital-infrastructure programme.

Data-Sovereignty or Resilience Services to Israeli State Institutions

No public evidence identified. Krispy Kreme is a consumer food company and does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise.

Israeli Operations - Data Residency

No public evidence identified that Krispy Kreme operates in Israel. The company’s published operations-by-country listing records Middle East presence in Kuwait, the UAE, Bahrain, and (historically) Lebanon, with no Israel operation listed.¹¹ No Israeli franchise data-residency question therefore arises on current public evidence.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence identified of any contract, partnership, or service agreement between Krispy Kreme and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence/security agencies (including Unit 8200-linked commercial entities). Krispy Kreme is a consumer food business and does not publicly operate in the defence-technology or security-services sector.

Provision of Technology / Data to the Israeli State or Military

No public evidence identified of Krispy Kreme providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found.

Dual-Use Technology Provision

No public evidence identified. Krispy Kreme does not develop, license, or sell technology products; its commercial products are consumer food items.

Offensive Cyber Capability / Cyberattack Suffered by the Company

No public evidence identified that Krispy Kreme develops, licenses, or sells offensive cyber capability. Krispy Kreme was itself the victim of a cyberattack: it detected unauthorised activity on its IT systems on 29 November 2024, disclosed the incident to the SEC (8-K) on or about 11 December 2024, and the Play ransomware gang claimed responsibility and leaked stolen archives on its dark-web site on 21 December 2024 after negotiations failed.⁷⁹¹² The attack disrupted US online ordering, affected dozens of stores, and Krispy Kreme estimated roughly $5 million in losses (about $4.4 million on remediation and cybersecurity experts).⁷¹² This incident was done to Krispy Kreme and has no nexus to the provision of technology to Israel; it is recorded here as factual digital context only.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified of Krispy Kreme providing AI capability, model access, datasets used to train models, or inference services to any Israeli state, military, or security body.

Internal / Customer-Facing AI Deployment (Direction: Krispy Kreme as customer)

Krispy Kreme is a customer of SoundHound AI (US-origin, headquartered in Santa Clara, California), whose Houndify/Dynamic Drive-Thru voice-AI platform has been deployed for drive-thru order-taking.¹³ The company has also described using AI with its third-party logistics providers to optimise deliveries (weighting weather, seasonality, and day-of-week) and plans to apply machine learning to loyalty-marketing personalisation across its 17-million-member US programme.¹⁴ All identified AI tooling is US-origin or internally operated; no Israeli-origin AI vendor was identified in Krispy Kreme’s stack.¹¹³¹⁴

Model Datasets & Development Involving Israeli Population Data

No public evidence identified of Krispy Kreme contributing to, commissioning, or benefiting from AI model development involving Israeli population datasets.

Autonomous Systems & Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within Krispy Kreme’s business domain.

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence identified that Krispy Kreme operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. Krispy Kreme’s disclosed R&D is focused on food-product development.¹

Acquisitions & Investments in Israeli Technology Companies

No public evidence identified of Krispy Kreme acquiring, or taking a corporate-venture stake in, any Israeli technology company. Krispy Kreme’s disclosed acquisitions are concentrated in the food and franchising sector.¹

Parent / JAB Portfolio - Technology Investment Screening

Krispy Kreme is majority-owned by JAB Holding Company (Reimann family), whose portfolio is concentrated in consumer beverages and food-service brands.¹⁵ No public evidence identified of JAB holding Israeli technology-company investments that would create a second-order technology linkage to Krispy Kreme. (JAB/Reimann philanthropic and reputational matters relating to Israel are economic/political in character and are addressed in the Economic and Political domains, not here.)¹⁵

Patents & IP Co-Development with Israeli Institutions

No public evidence identified of patent portfolios, licensing, or co-development arrangements between Krispy Kreme and Israeli-domiciled entities or research institutions (Technion, Hebrew University, Weizmann Institute).

Supplier Code of Conduct - Technology Supply-Chain Provisions

No public evidence identified of a technology-supply-chain due-diligence framework specific to vendor geopolitical exposure published by Krispy Kreme.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence identified of an NGO investigation, academic study, or UN report addressing Krispy Kreme’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. The Who Profits Research Centre and AFSC “Investigate” databases track corporate involvement in the settlement/occupation economy; no listing of Krispy Kreme on technology grounds was identified.¹⁶

BDS Campaigns

Krispy Kreme is the subject of BDS and consumer-boycott campaigning during the 2023–2026 period, promoted across social media and in boycott guides.¹⁷¹⁸ The publicly documented grounds relate to the company’s ownership by JAB Holding / the Reimann family and the family’s reported support for Israel - an economic/political ownership rationale, addressed in the Economic and Political domains - not to Israeli-origin technology procurement, software licensing, or digital-infrastructure provision. No public evidence identified of a BDS or NGO campaign specifically targeting Krispy Kreme’s technology relationships.

Data-Protection Regulatory & Legal Exposure (Cyberattack)

The November 2024 breach compromised the personal data of 161,676 people (predominantly employees, family members, and former employees), including Social Security numbers, driver’s-licence and financial-account data, passport numbers, and biometric/health data, per filings with state attorneys general.⁹¹⁹ A proposed class action (Peace v. Krispy Kreme) was filed in the US District Court for the Western District of North Carolina in June 2025 alleging failure to protect and to encrypt employee data; a proposed settlement of roughly $1.6 million was reported in 2026.¹⁹²⁰ This exposure concerns Krispy Kreme’s posture as the victim of an attack and the adequacy of its data-security controls; it is not connected to any Israeli-origin technology relationship.

Export Controls & Sanctions Authorities

No public evidence identified of any action by US export-control authorities (BIS/EAR, ITAR), OFAC, or any equivalent body relating to Krispy Kreme technology sales, services, or data transfers to Israeli state entities.

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence identified of any SEC, FTC, export-control, or sanctions-body action relating to Krispy Kreme technology sales or services to Israeli state entities.

End Notes