Target: Gucci (subsidiary of Kering Group)
Audit Phase: V-DIG (Digital Forensics / Technology Supply Chain)
Research Date: 2026-05-01
Prepared from: Research memo drawing on training data (coverage through 2026-04) and verified public sources. Live web search was unavailable; all claims assessed against training data and primary/secondary source verification. Unverified claims are flagged explicitly throughout.
Multiple sources confirm Gucci and the broader Kering Group operate on the Salesforce platform as a core component of their e-commerce and customer relationship infrastructure.456 The materiality of this dependency was demonstrated in the September 2025 breach (see §7), in which Kering brands — including Gucci, Balenciaga, and Alexander McQueen — suffered exfiltration of customer records via a compromise attributed to the Salesforce supply chain.78 Salesforce is a US-headquartered company; it is not Israeli in origin, though it maintains R&D operations in Israel through prior acquisitions (Datorama, ClickSoftware). The relationship is documented and ongoing, but falls outside the Israeli-origin vendor criterion for this audit’s primary analysis.
Cato Networks is an Israeli-founded Secure Access Service Edge (SASE) vendor headquartered in Tel Aviv, co-founded by Shlomo Kramer.13 Prior research asserts that Gucci is a Cato Networks reference client, citing Israeli job board listings and Dun’s 100 data as indirect evidence. This relationship cannot be independently verified. No official Gucci or Kering press release, no Cato Networks-published case study, and no verified third-party journalism confirms that Gucci or Kering holds a licensing or deployment relationship with Cato Networks. The sourcing in the prior research is indirect (recruitment listings) and insufficient to establish a vendor relationship. Status: Unverified — cited evidence is circumstantial. No direct Cato Networks case study or Gucci/Kering corporate disclosure naming Cato has been confirmed.1324
Wiz is an Israeli-founded cloud security company, co-founded by Assaf Rappaport and others, and acquired by Google for approximately $32 billion in a deal announced in March 2025.20 Prior research cites a conference appearance by Sabine d’Argœuves, identified as Kering’s Head of Security Solutions, at Les Assises de la Cybersécurité 2025, described as a session involving Wiz.12 Les Assises is a real and prominent annual French CISO conference; a joint session between a Kering security executive and Wiz is suggestive of a commercial relationship but does not constitute confirmed procurement. No Kering corporate disclosure, Wiz/Google case study, or procurement record naming a Gucci/Kering–Wiz licensing agreement has been identified.19 Status: Plausible but unverified — conference co-appearance identified 12, but no procurement record confirmed.
CyberArk is an Israeli-founded Privileged Access Management (PAM) vendor headquartered in Petah Tikva.18 Prior research itself acknowledges that a Gucci/Kering–CyberArk relationship is “inferred” and “highly probable” rather than evidenced. No public disclosure, case study, or procurement record identifying CyberArk as a Gucci or Kering vendor has been identified. Status: Not verified — prior research acknowledged this as inference. No public evidence identified.
No public evidence of Gucci or Kering holding licensing, subscription, or integration relationships with any of these vendors has been identified in training data or in the prior research. Source classes checked include corporate press releases, Kering annual reports,25 technology vendor case study libraries, and trade press. Status: No public evidence identified.
No public evidence has been identified of specific systems integrators, digital transformation consultancies, or IT outsourcing partners engaged by Gucci or Kering for major technology programmes that have mandated or deployed Israeli-origin technology. Kering’s annual reports and Universal Registration Documents do not contain granular IT vendor listings — standard practice for luxury conglomerates.25
The most significant confirmed Israeli-origin technology relationship in this audit is Gucci’s deployment of Riskified as its e-commerce fraud prevention provider. Gucci’s Customer Privacy Policy contains an explicit, dedicated clause:
“When you purchase products on our website, we might disclose your transaction details to Riskified Ltd., a company with registered offices at 30 Kalisher St., Tel Aviv 6525724, Israel.”1
The same policy further confirms the data transfer regime:
“Your personal information will be processed by Riskified in the State of Israel and is transferred according to the adequacy decision of the European Commission.”12
This constitutes primary-source, corporate-level confirmation of the vendor relationship. Riskified is an Israeli-founded company headquartered in Tel Aviv, co-founded by Eido Gal and Assaf Feldman, and publicly listed on the NYSE following its 2021 IPO.26 Riskified’s technology involves transaction-level behavioural data collection — including device fingerprinting, purchase pattern analysis, and identity graphing across its merchant network — for a chargeback-guarantee fraud prevention model.26
The senior commercial depth of this relationship was confirmed at Riskified’s “Ascend 2024 / Titans of Ecommerce” summit, where Eva Alvarez, identified as Director of Fraud, Risk & Payments at Gucci, received the “Champion of Community” award.3 This indicates an active, senior-level commercial engagement as of 2024 (ongoing as of the most recent available evidence).
Data residency confirmed: Gucci customer personal data — specifically transaction details and associated PII collected during online purchases — is contractually transferred to and processed in Israel by Riskified.12 This is the most materially significant finding in this audit in terms of confirmed cross-border personal data flow to an Israeli-domiciled entity.
Syte is an Israeli-founded visual AI company headquartered in Tel Aviv that provides visual search and product discovery technology to retail brands.22 Prior research claims that Gucci has “partnered with Syte to power visual search capabilities,” citing a Syte blog post listing Gucci as an example of experiential retail excellence.14 Luxury brands are frequently cited in technology vendor marketing materials without confirmed commercial relationships. No Gucci or Kering press release, co-authored case study, or independent third-party verification of a Gucci–Syte technology integration has been identified. Status: Unverified — sourced solely from Syte’s own marketing blog, which does not confirm a direct technology partnership.1422
AppsFlyer is a real Israeli-founded mobile attribution and analytics platform headquartered in Herzliya.21 Prior research asserts that Gucci’s mobile ecosystem uses AppsFlyer, but the primary supporting evidence cited consists of AppsFlyer deep-link URLs for TSUM Outlet and TSUM Collect — apps belonging to TSUM (TsUM), a Russian department store with no corporate relationship to Gucci or Kering. This constitutes a factual error in the prior research: TSUM is an entirely separate entity. The broader trade press articles cited discuss AR retail and mobile attribution in general terms without specifically documenting a Gucci–AppsFlyer integration.21 Status: Unverified — the prior research’s primary evidence pertains to an unrelated company. No verified public evidence of Gucci or Kering using AppsFlyer has been identified.
No public evidence has been identified of Gucci deploying facial recognition, biometric identification, gait analysis, or Israeli-origin in-store surveillance technologies (including from vendors such as Trigo, BriefCam, AnyVision/Oosto, or Trax). Source classes checked: trade press, NGO retail surveillance reports, Gucci/Kering corporate disclosures, and technology vendor case study libraries. Status: No public evidence identified.
No public evidence identified. Status: No public evidence identified.
No public evidence has been identified of Israeli surveillance technologies reaching Gucci through bundled enterprise suites or managed security services. Status: No public evidence identified.
No public evidence has been identified of Gucci or Kering operating, leasing, or co-locating data centre or cloud infrastructure within Israel. Source classes checked: Kering annual reports,25 data centre industry directories, and corporate IR disclosures. Status: No public evidence identified.
As documented under the Surveillance section, Gucci’s own Privacy Policy confirms that customer transaction data is contractually transferred to and processed by Riskified in the State of Israel.12 This constitutes confirmed third-party data residency in Israel via contractual data transfer, enabled by the European Commission’s adequacy decision for Israel. This is not direct Gucci-operated infrastructure in Israel, but it is a material and confirmed cross-border data transfer to an Israeli-domiciled processor.
No public evidence has been identified of Gucci or Kering participating in Project Nimbus or any Israeli government cloud initiative. Prior research’s “Nimbus link” is speculative — it rests on an unverified Wiz–Kering relationship and an inferential chain connecting that to the Israeli government cloud security layer. This is not evidence. Status: No public evidence identified. Source classes checked: Israeli government procurement records, Google/AWS Project Nimbus contractor disclosure lists, and Kering corporate disclosures.
Not applicable. Gucci is a luxury retail brand and does not provide digital sovereignty, data residency, or cloud infrastructure services to third parties. Status: Not applicable / No public evidence identified.
No public evidence has been identified of Gucci or Kering holding contracts, partnerships, or service agreements with the Israeli Ministry of Defence, the Israel Defence Forces (IDF), the Mossad, Shin Bet, or any Israeli intelligence agency. Gucci is a luxury fashion and retail conglomerate subsidiary with no known operations in the defence sector. Status: No public evidence identified. Source classes checked: Israeli MoD procurement databases, defence industry directories, and Kering corporate disclosures.25
No public evidence has been identified of Gucci’s commercially available technology (including its e-commerce platform, CRM systems, or analytics infrastructure) being deployed for military, intelligence, or law enforcement surveillance purposes in Israel or occupied territories. Status: No public evidence identified.
Not applicable. Gucci is not a cybersecurity or technology developer. Status: No public evidence identified.
No public evidence has been identified of Gucci or Kering providing AI or machine learning systems, models, data pipelines, or algorithmic tools to Israeli government, military, or intelligence agencies. Status: No public evidence identified. Source classes checked: Israeli government procurement records, Kering/Gucci corporate disclosures, and technology press.
No public evidence has been identified of Gucci AI or algorithmic models being trained on surveillance-derived datasets originating from Israel or occupied territories. Status: No public evidence identified.
Not applicable. Gucci does not design, produce, or supply autonomous systems with lethal applications. Status: Not applicable / No public evidence identified.
The prior research references Gucci’s use of AI in personalisation and customer experience contexts. The confirmed Israeli-origin technology in this domain is limited to Riskified’s machine-learning fraud detection layer, which is documented at the primary-source level.123 Riskified’s models process Gucci customer transaction data in Israel as part of their chargeback-guarantee product.26 No other confirmed Israeli-origin AI or algorithmic systems deployed by Gucci have been identified.
No public evidence has been identified of Gucci or Kering operating R&D facilities, engineering offices, innovation labs, or technology centres within Israel. Source classes checked: Kering annual reports,25 Kering press releases, Israeli corporate registry, and technology trade press.
Gucci operates a physical retail store in Tel Aviv at 34 Kikar Hamedina, confirmed via the official Gucci store locator as of January 2026.17 This is a commercial retail presence — not an R&D, technology, or data processing facility — and is noted here for completeness.
No public evidence has been identified of Gucci or Kering acquiring Israeli-origin technology companies or making strategic investments in Israeli technology start-ups or venture funds. Source classes checked: Kering M&A announcements, deal database records, and Israeli venture capital press.
Sonovia is an Israeli company listed on the Tel Aviv Stock Exchange (TASE) that has developed ultrasonic textile treatment and sustainable dyeing technology.23 In 2022, the Jerusalem Post reported that Sonovia was in collaboration with Kering on cutting environmental harm in textile processes.9 Subsequent PR Newswire and Textile World reporting (2023–2024) documents Sonovia’s technology being deployed in denim development contexts, including with industry partners.101116 The 2022 Jerusalem Post article specifically names Kering (Gucci’s parent) in the context of piloting Sonovia’s green textile technology.9
The scope of this relationship appears to be a sustainability/R&D pilot at the Kering Group level rather than a Gucci-specific technology deployment. No evidence has been identified of Sonovia technology being deployed at scale in Gucci’s production supply chain. The relationship is with Kering Group, and its precise commercial terms, duration, and continuation beyond 2022–2023 are not confirmed in available sources. Status: Kering-level sustainability pilot confirmed at the reporting level for 2022;9 current status and Gucci-specific deployment unconfirmed.
Kornit Digital is an Israeli-founded digital printing technology company.15 Prior research suggests a Kering–Kornit relationship via sustainability consortia. The cited sources establish that Kornit Digital operates broadly in sustainable fashion technology and that Kering pursues sustainability goals;15 however, no specific Kering–Kornit procurement contract, named partnership announcement, or co-published case study has been confirmed beyond general industry ecosystem references. Status: No specific Kering–Kornit commercial relationship confirmed. General industry overlap only.
No public evidence has been identified of significant patent portfolios, licensing agreements, or co-development arrangements between Gucci/Kering and Israeli-domiciled entities or research institutions (e.g., Technion, Hebrew University, Weizmann Institute). Source classes checked: USPTO, EPO, and WIPO patent databases (public search), and Kering IP disclosures.
No NGO investigations, academic studies, or UN Special Rapporteur reports specifically addressing Gucci’s or Kering’s technology relationships with the Israeli state, or their technology operations in occupied territories, have been identified in training data. Source classes checked: Who Profits research database, AFSC Investigate, BDS Movement published reports, Human Rights Watch technology reports, Amnesty International tech sector investigations, and UN Special Rapporteur on business and human rights publications. Status: No public evidence identified. This appears to be a genuine evidence gap rather than a gap caused by search limitations.
No organised BDS or divestment campaigns specifically targeting Gucci or Kering on grounds of technology provision to Israel or technology operations in occupied territories have been identified in training data. Gucci and Kering are referenced in broader luxury goods consumer boycott discussions in Palestine solidarity contexts on social media, but no formal, sustained campaign specifically focused on technology relationships has been documented in the public record. Status: No public evidence identified. Source classes checked: BDS Movement official campaign lists, AFSC Investigate database, Stop the Wall coalition reports, and NGO Monitor.
The September 2025 Kering data breach — affecting customer data from Gucci, Balenciaga, and Alexander McQueen — was widely reported in the press.456 The Guardian confirmed the breach and the involvement of Gucci customer records.4 The AI Magazine analysis examined the breach in the context of AI-assisted attack vectors targeting luxury retail supply chains.6 JD Supra and BleepingComputer reporting contextualised the breach within a broader pattern of Salesforce-related threat actor activity.78 No French CNIL enforcement action, EU DPA formal investigation outcome, or regulatory sanction specifically arising from the September 2025 breach has been confirmed in available sources as of the research date.
No other regulatory inquiries, export control actions, or sanctions-related investigations involving Gucci’s or Kering’s technology sales or services have been identified. Status: Breach confirmed; regulatory enforcement outcome unconfirmed as of 2026-05-01. Source classes checked: EU Commission regulatory filings, French CNIL enforcement records, US BIS export control enforcement actions, and Israeli regulatory filings.
The following gaps are noted for completeness and to guide any supplementary research:
https://www.theguardian.com/business/2025/sep/15/hackers-data-gucci-balenciaga-alexander-mcqueen-kering ↩↩↩
https://dig.watch/updates/millions-of-customer-records-stolen-in-kering-luxury-brand-data-breach ↩↩
https://aimagazine.com/news/cybercriminals-cracked-luxury-retail-supply-chains ↩↩↩
https://www.jdsupra.com/legalnews/hackers-claim-salesforce-data-breach-8343289/ ↩↩
https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/ ↩↩
https://www.jpost.com/environment-and-climate-change/article-742419 ↩↩↩
https://www.prnewswire.com/il/news-releases/sonovias-breakthrough-green-technology-to-be-used-in-denim-development-301816260.html ↩
https://www.textileworld.com/textile-world/features/2023/05/textile-sustainability-development-snapshots/ ↩
https://www.lesassisesdelacybersecurite.com/en/les-assises/previous-editions-les-assises/edition-2025 ↩↩↩
https://www.syte.ai/blog/customer-experience/experiential-retail-learn-how-10-brands-deliver-best-in-class-customer-experiences/ ↩↩
https://www.sec.gov/Archives/edgar/data/1625791/000121390021017655/f20f2020_kornitdigital.htm ↩↩
https://www.textileworld.com/textile-world/2024/05/sonovias-and-pure-denim-unveiling-its-first-jeans-collection-with-sonovias-sustainable-denim-dyeing-technology/ ↩
https://www.gucci.com/us/en/store/he-belyar-street-34-kikar-hamedina ↩
https://www.cyberark.com/company/ ↩
https://www.wiz.io/about ↩
https://www.reuters.com/technology/google-acquire-wiz-32-billion-deal-2025-03-18/ ↩
https://sonovia.com/about/ ↩
https://www.catonetworks.com/blog/cato-protects-against-cve-2023-23397-exploits/ ↩
https://www.kering.com/en/finance/publications-and-events/annual-reports/ ↩↩↩↩↩↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=riskified&type=F-1&dateb=&owner=include&count=40 ↩↩↩
