INDEX / DIRECTORY / TK MAXX / DIGITAL

TK Maxx DIGITAL

DIGITAL INFRASTRUCTURE AUDIT UPDATED 2026-06-15
Digital Score 0.00 /10 E TK Maxx - BDS-1000 145
Digital 0.00

Evidence-only forensic audit. Scoring happens downstream - see the main dossier for the composite assessment.

Digital Audit: TK Maxx (The TJX Companies, Inc.)

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: TK Maxx - UK/Ireland/European trading name of The TJX Companies, Inc. (NYSE: TJX) Parent HQ: 770 Cochituate Road, Framingham, Massachusetts 01701, USA European HQ: Watford, Hertfordshire, United Kingdom Audit Date: June 2026 Evidence Base: Published corporate disclosures, SEC filings, trade and technology press, NGO research, and biometric-policy reporting. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - TK Maxx/TJX procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, its founders’ military backgrounds, or a parent group’s separate activities are not attributed to TJX. US-entity relationships (e.g. Microsoft, Amazon, Google) are not Israeli-origin and are noted only for completeness. A cyberattack committed against the company is recorded as done to TJX, not as provision.

Enterprise Technology Stack & Vendor Relationships

Vendor Disclosure Posture (Direction: TJX as customer)

TJX is a large US off-price retailer whose SEC filings and corporate-responsibility disclosures describe an Information Management Program overseen by an internal Information Management Steering Committee drawing on IT, Cybersecurity, Risk and Compliance, Privacy, Legal, and Internal Audit functions, with board-level oversight of information-security and data-privacy risk.1 These disclosures acknowledge reliance on third-party technology and cloud providers but do not name specific security partners or technology suppliers by company or national origin.1 This non-disclosure posture is common among large US retailers and means the vendor-level stack cannot be reconstructed from public filings alone.

Cloud and Enterprise Platforms (Direction: TJX as customer)

Trade-press and technographic profiling indicate TJX uses cloud services from US hyperscalers - Amazon Web Services and Microsoft Azure - alongside point-of-sale, ERP, CRM, supply-chain-management, and data-analytics systems.23 AWS, Azure, and Google are US-headquartered entities; these are not Israeli-origin vendor relationships and are recorded for completeness only.23 No public source reviewed names an Israeli-origin enterprise-software or cloud component within the TJX stack.

Israeli-Origin Technology Vendors

No public evidence was identified that TJX or TK Maxx holds a named licensing, subscription, integration, or partnership relationship with any Israeli-origin cybersecurity or enterprise-software vendor (for example Check Point, Wiz, CyberArk, SentinelOne, Palo Alto Networks, NICE, Verint, or Claroty). No joint press release, customer case study, or contractual reference linking any such vendor to TJX or TK Maxx was located.12 Israeli-origin retail-technology vendors documented with other European or US retail clients - including the e-commerce personalisation platform Dynamic Yield and the last-mile delivery platform Bringg - were reviewed; no public source links either to TJX or TK Maxx.45 No public evidence identified.

Systems Integrators & Managed Security Providers

No public evidence was identified of a named systems integrator, digital-transformation consultancy, or managed-security-service provider engaged by TJX/TK Maxx that has mandated or deployed Israeli-origin technology within its engagement. The managed-security layer is undisclosed; Israeli-origin technology embedded within a third-party managed service cannot be positively excluded on public evidence, but no such instance was identified.

Surveillance, Biometrics & Retail Technology

Facial Recognition & Biometric Identification

No public evidence was identified that TK Maxx operates live facial recognition on customers in its own stores. Big Brother Watch’s reporting and complaints on UK retail live facial recognition name Southern Co-op and a range of Facewatch clients - including Frasers Group brands (Flannels, House of Fraser, Sports Direct, USC), Home Bargains, B&M, Spar, Budgens, and convenience operators - but do not name TK Maxx as a Facewatch or live-FR user.67 Contemporaneous 2024–2025 reporting on the UK retail biometrics expansion named Sainsbury’s, Asda, and Tesco; TK Maxx did not appear.89

Project Pegasus - UK Domestic Law Enforcement

Project Pegasus is a UK Home Office / police–retailer data-sharing initiative launched in October 2023 under which participating retailers share CCTV imagery with police, who run it against the Police National Database using retrospective facial-recognition software to identify prolific offenders; the retailer-funded element was reported at around £600,000.1011 Reporting on the participating retailers names M&S, Boots, Co-op, John Lewis, Tesco, Sainsbury’s, Waitrose, and Next; TK Maxx was not among the named participants in the sources reviewed.1011 Project Pegasus is in any case a UK domestic law-enforcement programme with no Israel nexus, and the facial-recognition matching is performed by police, not by an Israeli-origin vendor; no provision of technology, data, or service to Israel arises from it.1011

Israeli-Origin Surveillance / Biometric Vendors

No public evidence was identified that TK Maxx or TJX has deployed facial-recognition, biometric, gait-analysis, or in-store behavioural-analytics technology of Israeli origin (e.g. Oosto/AnyVision, BriefCam, Trigo, Trax). No public evidence identified.

In-Store Loss Prevention & Electronic Article Surveillance

TJX/TK Maxx does not publicly disclose which camera systems, video-analytics platforms, or electronic-article-surveillance (EAS) vendors it deploys across its store estate. The global EAS market is dominated by Sensormatic, Checkpoint Systems, Nedap, and Avery Dennison - none of which is an Israeli-origin vendor - but no public source names which EAS or loss-prevention supplier TK Maxx uses, and no Israeli-origin loss-prevention platform was linked to the company.12 No public evidence identified.

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

No public evidence was identified of TK Maxx or TJX using Israeli-origin predictive-policing, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools. Disclosed analytics activity is limited to internal retail operations (demand forecasting, inventory optimisation, personalisation).23

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data Centre Operations in Israel

No public evidence was identified that TJX or TK Maxx operates, leases, or co-locates data-centre infrastructure within Israel. Public location records list TJX operations in the United States, United Kingdom, Ireland, Germany, Poland, Austria, the Netherlands, Spain, and Australia, with the European headquarters in Watford; Israel does not appear among TJX’s operating locations.1314 No public evidence identified.

Project Nimbus & Israeli State Cloud Infrastructure

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; TJX is a retail customer of hyperscaler cloud services, neither a participant in nor a sub-provider to Project Nimbus.15 No public evidence was identified of TJX/TK Maxx involvement in any Israeli state-backed digital-infrastructure programme.

Data-Sovereignty or Resilience Services to Israeli State Institutions

No public evidence identified. TJX does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise; its disclosed business is off-price retail.1 Sub-processor categories referenced in its privacy notices do not break down vendor national origin, leaving the cloud sub-supply chain opaque below the hyperscaler tier.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, or service agreement between TJX/TK Maxx and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence agencies (including Unit 8200-linked commercial entities). TJX is a retail business and does not publicly operate in the defence-technology or security-services sector.1

Provision of Technology / Data to the Israeli State or Military

No public evidence was identified of TJX/TK Maxx providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence was identified of TJX/TK Maxx commercial technology being reported or confirmed as deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories.

Offensive Cyber Capability & Cyber Incident History

No public evidence identified that TJX develops, licenses, or sells offensive cyber capability; it is an off-price retailer. TJX was itself the victim of one of the largest payment-card data breaches on record: between July 2005 and December 2006, attackers led by Albert Gonzalez exploited a weakly secured (WEP) wireless network at a US Marshalls store, moved laterally to corporate payment servers in Massachusetts and at TJX’s European headquarters in Watford, UK, and exfiltrated card and customer data; figures of roughly 45.7 million to as many as 94 million cards have been reported.1617 TJX disclosed the breach in January 2007, settled with 41 US states for US$9.75 million in 2009, and incurred remediation costs exceeding US$256 million.1617 This incident was done to TJX and has no nexus to the provision of technology to Israel; it is recorded here as factual digital context only. No more recent (2024–2025) cyberattack against TJX/TK Maxx was identified in the sources reviewed.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified. TJX’s disclosed AI/ML activity is limited to internal retail applications - demand forecasting, inventory optimisation, and personalisation - running on US-hyperscaler cloud platforms.23 No public evidence was identified of TJX/TK Maxx providing AI capability, model access, training data, or inference services to any Israeli state, military, or security body.

Training Data & Model Development Involving Israeli Population Data

No public evidence was identified of TJX/TK Maxx AI or ML models being trained on, or co-developed using, Israeli population datasets, intercepted communications, or surveillance-derived data. No co-development arrangement with Israeli research institutions (Technion, Hebrew University, Weizmann Institute) was identified.

Autonomous Systems & Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within TJX’s business domain.1

Internal Algorithmic Deployment - Israeli-Origin AI Tooling

No public evidence was identified of any Israeli-origin AI vendor embedded in TJX’s stack. The undisclosed full vendor list means secondary embedding within a managed service cannot be positively excluded, but no such instance was identified.2

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence was identified that TJX or TK Maxx operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. Public location records place TJX’s technology and logistics activity at or near its Framingham, Massachusetts headquarters and its European facilities; Israel does not appear among its operating locations.1314 No public evidence identified.

Acquisitions & Investments in Israeli Technology Companies

No public evidence was identified of TJX acquiring, or taking a corporate-venture stake in, any Israeli technology company. TJX’s documented acquisition history is confined to retail brands and off-price ventures (e.g. Sierra Trading Post, Trade Secret in Australia, the Grupo Axo joint venture in Mexico), with no technology-sector M&A in Israel.1819 No public evidence identified.

Patents & IP Co-Development with Israeli Institutions

No public evidence was identified of patent portfolios, licensing, or co-development arrangements between TJX/TK Maxx and Israeli-domiciled entities or research institutions.

Supplier Code of Conduct - Technology Supply-Chain Provisions

TJX’s vendor/supplier conduct frameworks address ethical sourcing for its merchandise supply chain but do not, in public versions reviewed, contain provisions governing the national origin or geopolitical exposure of technology vendors, software suppliers, or digital-infrastructure providers.1 No technology-supply-chain due-diligence framework specific to vendor geopolitical exposure is publicly documented by TJX.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence was identified of an NGO investigation, academic study, or UN report addressing TJX’s or TK Maxx’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. TJX/TK Maxx does not appear in the UN OHCHR database of business enterprises involved in Israeli settlements, which is settlement-focused and consistent with TJX having no Israel operations.20 Civil-society attention on TK Maxx in relation to Israel has centred on merchandise (Israeli-manufactured products sold in stores), not on technology procurement or provision.

BDS & Boycott Campaigns

A consumer petition started in August 2021 urged TJ Maxx to stop selling Israeli-manufactured products, gathering several hundred signatures; its grounds concern the sale of Israeli-made goods (a merchandise/Economic question), not Israeli-origin technology procurement, software licensing, or digital-infrastructure provision.21 No public evidence was identified of a BDS or NGO campaign specifically targeting TK Maxx’s or TJX’s technology relationships, and no No Tech for Apartheid–style campaign references TJX (consistent with its absence from the enterprise-technology-services sector).22

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence identified of any export-control, sanctions, FCA, ICO, or equivalent regulatory action relating to TJX/TK Maxx technology sales, services, or data transfers to Israeli state entities. The most significant item in TJX’s technology regulatory history remains the 2005–2007 payment-card data breach and its US multi-state settlement, which is unrelated to any Israeli-origin technology relationship and is recorded above as victim-side context.1617

End Notes

Footnotes

  1. https://www.sec.gov/Archives/edgar/data/0000109198/000010919825000024/tjx-20250501.htm 2 3 4 5 6 7

  2. https://www.appsruntheworld.com/customers-database/customers/view/the-tjx-companies-inc-united-states 2 3 4 5 6

  3. https://www.jobzmall.com/tjx-companies/faqs/what-kind-of-technology-does-tjx-companies-use 2 3 4

  4. https://www.timesofisrael.com/mastercard-to-buy-israeli-tech-firm-dynamic-yield-from-mcdonalds/

  5. https://www.bringg.com/about

  6. https://bigbrotherwatch.org.uk/blog/update-big-brother-watchs-complaint-to-the-ico-on-retailer-facial-recognition/

  7. https://bigbrotherwatch.org.uk/campaigns/stop-facial-recognition/

  8. https://www.biometricupdate.com/202310/uk-launches-facial-recognition-drive-against-shoplifters

  9. https://www.computerweekly.com/news/366609660/Retailers-question-using-live-facial-recognition-for-shoplifting

  10. https://news.npcc.police.uk/releases/partnership-to-crack-down-on-shoplifting 2 3

  11. https://fortune.com/2023/09/12/britain-retailers-police-shoplifting-crime-john-lewis-tesco-sainsburys-co-op 2 3

  12. https://www.mordorintelligence.com/industry-reports/electronic-article-surveillance

  13. https://www.globaldata.com/company-profile/the-tjx-companies-inc/locations/ 2

  14. https://en.wikipedia.org/wiki/TK_Maxx 2

  15. https://www.theguardian.com/technology/2021/oct/12/google-amazon-project-nimbus-israel-military-cloud

  16. https://www.hedgehogsecurity.co.uk/blog/anatomy-of-a-breach-tjx-tk-maxx 2 3

  17. https://www.pinsentmasons.com/out-law/news/tk-maxx-owner-offers-41-million-for-record-breaking-data-breach 2 3

  18. https://investor.tjx.com/news-releases/news-release-details/tjx-companies-inc-acquire-price-australian-retailer-trade-secret

  19. https://investor.tjx.com/news-releases/news-release-details/tjx-companies-inc-announces-plans-joint-venture-mexico-grupo-axo

  20. https://www.business-humanrights.org/en/latest-news/un-creates-database-of-companies-operating-in-israeli-settlements-in-occupied-west-bank-east-jerusalem/

  21. https://www.change.org/p/ernie-herrman-boycott-the-selling-of-israeli-products-in-tj-maxx-stores

  22. https://www.notechforapartheid.com/