logo

Contents

Etsy Digital Audit

  • Last Updated: May 18, 2026

Audit Phase: V-DIG (Digital Forensics / Technology Supply Chain)
Target Company: Etsy, Inc.
Audit Date: 2026-05-01
CIK: 0001370637

Enterprise Technology Stack & Vendor Relationships

Primary Cloud Platform

Etsy completed a full migration of its production infrastructure to Google Cloud Platform (GCP) beginning in 2018, with the migration substantially complete by 2020–2021 13. GCP serves as Etsy’s primary compute, storage, and networking environment. Etsy’s 10-K filings for fiscal years 2022, 2023, and 2024 each list Google Cloud as a critical third-party vendor and explicitly flag vendor concentration risk around this dependency 1. Etsy uses Kubernetes — via Google Kubernetes Engine (GKE) — for container orchestration, and has open-sourced related tooling through its public GitHub presence 214.

Networking, CDN & Security Perimeter

  • Akamai Technologies (US-headquartered, Cambridge MA) has been publicly documented as a CDN and DDoS mitigation provider for Etsy 1. The status of this relationship post-2022 is unconfirmed in available public sources.
  • Cloudflare (US-founded) has been referenced in Etsy engineering blog discussions as part of its edge and DNS architecture 2.

Observability & Monitoring

  • Datadog (US-founded) is referenced in Etsy engineering materials and job postings as part of the observability stack for infrastructure monitoring and APM 215.
  • New Relic (US-founded) was used in earlier infrastructure configurations; current status following the full GCP migration is unconfirmed in public sources.

Israeli-Origin Software & Services — Named Vendors

Each of the following vendors was assessed against available public sources including SEC filings, Etsy’s engineering blog, technology stack profiles (Stackshare, BuiltWith), press releases, and job posting patterns.

  • Check Point Software Technologies (Israeli-founded, Tel Aviv): No public evidence identified of a licensing, subscription, or integration relationship with Etsy in any SEC filing, engineering disclosure, or technology stack profile. No public evidence identified.
  • Wiz (Israeli co-founded, US-headquartered post-announced Google acquisition at ~$32B in 2024): Wiz provides cloud security posture management (CSPM). No direct confirmed Etsy–Wiz relationship is documented in any public source 1. Given Etsy’s deep GCP dependency and Google’s pending acquisition of Wiz, an indirect or bundled future relationship is structurally plausible but is not confirmed by any public record as of the audit date. No public evidence identified of a direct Etsy–Wiz contract or integration. An evidence gap remains open regarding potential post-acquisition GCP enterprise bundling of Wiz services.
  • SentinelOne (Israeli co-founded, US-listed): No public evidence identified of an Etsy–SentinelOne endpoint security relationship in any SEC filing, engineering blog, or press release. No public evidence identified.
  • CyberArk (Israeli-founded, dual-headquartered Newton MA / Petah Tikva): No public evidence identified of Etsy deploying CyberArk for privileged access management or identity security. No public evidence identified.
  • NICE Ltd. (Israeli-founded, Ra’anana): NICE products span workforce management, contact centre analytics, and customer engagement platforms. No public evidence identified of Etsy deploying NICE systems in any capacity. No public evidence identified.
  • Verint Systems (Israeli co-founded, spun from Comverse Technology): Provides customer engagement and intelligence platforms. No public evidence identified of an Etsy–Verint relationship. No public evidence identified.
  • Palo Alto Networks (US-headquartered; co-founder Nir Zuk is Israeli): No public evidence identified of Etsy deploying Palo Alto Networks products for network security or SASE services. No public evidence identified.
  • Claroty (Israeli co-founded, OT/IoT security): Structurally inapplicable to Etsy’s business model. Etsy has no manufacturing operations, industrial control systems, or operational technology environment. Not applicable; No public evidence identified.

Procurement & Integrator Relationships

No public evidence identified of Etsy engaging major systems integrators (e.g., Accenture, Deloitte, Infosys) for large-scale technology transformation programmes that mandated or deployed Israeli-origin technology 215. Etsy’s engineering function is predominantly in-house, consistent with engineering blog publication patterns and job posting profiles. No public evidence identified of integrator-mandated Israeli technology deployment.

Open Evidence Gaps

  • Endpoint security (EDR) tooling: Etsy’s internal EDR vendor is not publicly disclosed in any engineering blog, SEC filing, or credible press report, making it not possible to confirm or exclude use of Israeli-origin EDR products (e.g., SentinelOne, Check Point Harmony Endpoint). Sources checked: SEC filings, engineering blog, Stackshare, BuiltWith, LinkedIn postings, Glassdoor. Gap remains open.
  • Identity and access management / privileged access: Etsy’s PAM or IAM tooling vendor — relevant to any CyberArk assessment — is not publicly named. Sources checked: SEC filings, engineering blog, job postings. Gap remains open.
  • Contact centre / customer support platform: Etsy operates a large customer support function. The full contact centre platform vendor — relevant to any NICE/Verint assessment — is not publicly confirmed. Etsy has previously referenced Zendesk in seller community contexts, but the enterprise contact centre stack is unconfirmed. Gap remains open.

Surveillance, Biometrics & Retail Technology

Facial Recognition & Biometrics

Etsy is a pure-play e-commerce marketplace with no physical retail stores, warehouses open to the public, or brick-and-mortar footprint of its own 1. The commercial applications for in-store facial recognition, biometric identification, gait analysis, or loss-prevention biometrics — products associated with vendors such as Trigo, BriefCam, AnyVision/Oosto, and Trax — are structurally inapplicable to Etsy’s business model. No public evidence identified of Etsy deploying facial recognition or biometric identification systems of any national origin for any stated commercial purpose. No public evidence identified.

Predictive Analytics & Internal Monitoring

Etsy’s fraud detection and trust-and-safety systems are documented as proprietary, built in-house on GCP infrastructure using internal machine learning models developed and maintained by Etsy’s own engineering teams 25. No public evidence identified of Etsy using Israeli-origin predictive policing tools, sentiment analysis platforms, social media monitoring suites, or workforce surveillance tools. No public evidence identified.

Third-Party Surveillance Deployment

No public evidence identified that Israeli-origin surveillance or biometric technologies reach Etsy indirectly through managed security services, platform bundles, or third-party software suites. No public evidence identified.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data Centre Operations in Israel

Etsy’s infrastructure is operated entirely on Google Cloud Platform 13. GCP regions and sub-regions used by Etsy are not publicly disclosed at the sub-region level in any SEC filing, 10-Q, or engineering disclosure 1. No public evidence identified that Etsy operates, leases, or co-locates data centre infrastructure within Israel. No public evidence identified.

An evidence gap remains regarding whether any of Etsy’s GCP workloads are routed through or cached in Google’s Middle East or Israel-adjacent GCP regions or Points of Presence; this is not determinable from publicly available sources. Gap remains open.

Project Nimbus

Project Nimbus is the approximately $1.2 billion joint cloud contract awarded in 2021 to Google Cloud and Amazon Web Services to provide cloud infrastructure services to the Israeli government and military 3. Etsy is a customer of Google Cloud — a cloud infrastructure consumer, not a cloud infrastructure provider. Etsy has no contractual relationship with the Israeli government, and no public evidence indicates that Etsy participates in, serves as a subcontractor to, or otherwise contributes to or benefits from Project Nimbus in any form. For clarity: the Project Nimbus contractors are Google LLC and Amazon Web Services, Inc., not their enterprise customers. No public evidence identified.

Data Sovereignty & Resilience Services

Etsy does not market or provide cloud infrastructure, data sovereignty, resilience, or managed hosting services to any third party, including Israeli state institutions 1. Etsy is a retail marketplace operator, not a cloud or managed services provider. No public evidence identified.

Sub-Processor Transparency

Etsy’s full list of data sub-processors — relevant to identifying any Israeli-domiciled data processing relationships — is not comprehensively published in available GDPR-related disclosures, privacy policies, or SEC filings. Gap remains open.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence identified of any contract, partnership, memorandum of understanding, or service agreement between Etsy and the Israeli Ministry of Defence, Israel Defence Forces (IDF), Israeli intelligence agencies (Mossad, Shin Bet, Unit 8200), or any Israeli state security body 1. This finding is consistent across all source classes examined: SEC filings (including risk factor disclosures and legal proceedings sections), engineering blog, press releases, NGO databases, and news archives. No public evidence identified.

Dual-Use Technology Provision

No public evidence identified — in SEC filings, news reporting, NGO investigations, or academic research — of Etsy’s commercial technology being repurposed or deployed for military, intelligence, or law enforcement surveillance applications within Israel or the occupied Palestinian territories. No public evidence identified.

Offensive Cyber & Weapons Technology

Etsy is a consumer e-commerce marketplace. It does not develop, sell, license, or maintain offensive cyber capabilities, zero-day exploit tools, intrusion tools, or digital weapons systems. No public evidence identified of any such activity, and no reasonable technology pathway exists by which Etsy’s commercial marketplace infrastructure would constitute or contribute to such capabilities. No public evidence identified.

AI, Algorithmic & Autonomous Systems

AI/ML Systems — Scope and Deployment

Etsy’s artificial intelligence and machine learning systems are internally developed and deployed exclusively for its own marketplace functions. Documented use cases include: search ranking and relevance, personalised buyer recommendations, fraud detection and trust-and-safety modelling, image recognition for listing categorisation, and seller pricing tools 256. These systems run on Etsy’s GCP infrastructure and are built and maintained by Etsy’s internal ML engineering teams.

Provision to State Bodies

No public evidence identified of Etsy providing AI systems, machine learning models, computer vision capabilities, or algorithmic decision-support tools to the Israeli government, military, security services, or affiliated state bodies. No public evidence identified.

Training Data & Model Lineage

Etsy’s ML models are trained on proprietary marketplace data including buyer and seller behavioural signals, listing metadata, and transaction data 2. No public evidence identified that Etsy’s AI models have been trained on, or have been granted access to, civilian population data, intercepted communications, or surveillance-derived datasets originating from Israel or the occupied territories. No public evidence identified.

Autonomous Systems & Lethality

Etsy develops no autonomous targeting systems, military threat-detection tools, autonomous tracking platforms, or systems with any proximity to lethal autonomous weapons. The company’s entire product domain is consumer e-commerce. No public evidence identified.

Technology Ecosystem & R&D Footprint

Israeli R&D Centres

No public evidence identified of Etsy operating research and development facilities, engineering offices, innovation labs, startup accelerator programmes, or co-development arrangements within Israel 1. Etsy’s engineering offices are publicly documented as: New York City (global headquarters), San Francisco, and Dublin, Ireland. Following its 2021 acquisitions, additional engineering presence existed in London (Depop) and São Paulo (Elo7) 56; Elo7 was subsequently divested in 2022 9. No public evidence identified of any Israeli engineering presence.

Acquisitions

Etsy’s full documented acquisition history comprises:

  • Reverb (US, Chicago) — musical instrument marketplace — August 2019 7
  • Depop (UK, London) — peer-to-peer fashion resale marketplace — June 2021, $1.625 billion 5
  • Elo7 (Brazil, São Paulo) — handmade goods marketplace — July 2021, approximately $217 million; subsequently divested in 2022 69

No Israeli-origin technology company acquisitions are identified in any public record including SEC filings, press releases, and Crunchbase acquisition data 9. No strategic minority investments in Israeli technology startups or Israeli-focused venture funds are identified in SEC filings, press releases, or available Crunchbase data. No public evidence identified.

Venture & LP Investment

Whether Etsy’s corporate treasury or pension/retirement plan holds LP positions in Israeli technology venture funds is not determinable from public filings at the required level of granularity. Sources checked: SEC 13F filings, proxy statements 8. Gap remains open.

Intellectual Property

Etsy’s patent portfolio, as visible through USPTO filings, covers search relevance, recommendation systems, marketplace transaction technology, and image recognition — all developed by internal engineering teams. No public evidence identified of co-development arrangements or patent licensing agreements with Israeli-domiciled entities or Israeli research institutions (Technion, Hebrew University of Jerusalem, Weizmann Institute). No public evidence identified.

Acquisition-Inherited Technology Risk

Depop (acquired June 2021, UK-based) may have maintained its own security and infrastructure tooling stack — potentially including Israeli-origin tools — prior to acquisition. The status of any such inherited tools and the degree of post-acquisition technology integration with Etsy’s core stack is not publicly documented. Gap remains open.

Civil Society Scrutiny & Regulatory History

NGO & Academic Reports

  • Who Profits Research Center (Israeli NGO profiling corporate complicity in the occupation): As of available training data through early 2026, Etsy does not appear in the Who Profits corporate database as a profiled entity with documented relationships to occupation-related activity 11. No public evidence identified.
  • American Friends Service Committee (AFSC) — Investigate database: Etsy does not appear as a listed company in AFSC’s Investigate database of companies with ties to Israeli military or occupation infrastructure 12. No public evidence identified.
  • BDS Movement campaign database: Etsy has not been identified as a formal BDS campaign target on the grounds of technology provision to Israeli state or military bodies, based on the BDS Movement’s published campaign records 10. No public evidence identified.
  • UN Reports / Special Rapporteur: No UN report, Human Rights Council resolution, or Special Rapporteur communication specifically addresses Etsy’s technology relationships with Israeli state bodies. No public evidence identified.

Boycott & Divestment Campaigns

Etsy has been the subject of seller-community pressure campaigns — distinct from formal BDS actions — related to the sale of Palestinian-themed or Gaza solidarity merchandise on its platform, and separately related to allegations of algorithmic suppression of Palestinian content by sellers 15. These campaigns concern content moderation and marketplace policy, not technology provision to Israeli state entities, and fall outside the V-DIG domain boundary.

No organised BDS campaign specifically targeting Etsy for its technology vendor relationships or supply chain ties to Israeli technology or state entities has been publicly documented 10. No public evidence identified of a formal BDS campaign on technology-provision grounds.

No regulatory inquiries, export control actions, sanctions-related investigations, or legal challenges involving Etsy’s technology sales or services to Israeli state entities have been identified in SEC filings (including risk factor disclosures and legal proceedings sections), news reporting, or regulatory databases 1. No public evidence identified.

End Notes

  1. https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001370637&type=10-K&dateb=&owner=include&count=10 

  2. https://www.etsy.com/codeascraft 

  3. https://cloud.google.com/blog/topics/retail/etsy-migrates-to-google-cloud 

  4. https://stackshare.io/etsy/etsy 

  5. https://techcrunch.com/2021/06/02/etsy-acquires-depop/ 

  6. https://techcrunch.com/2021/07/08/etsy-acquires-elo7/ 

  7. https://techcrunch.com/2019/08/15/etsy-acquires-reverb/ 

  8. https://investors.etsy.com/esg 

  9. https://www.crunchbase.com/organization/etsy/acquisitions 

  10. https://bdsmovement.net/act 

  11. https://whoprofits.org 

  12. https://investigate.afsc.org 

  13. https://builtwith.com/etsy.com 

  14. https://github.com/etsy 

  15. https://investors.etsy.com/press-releases 

Related News & Articles