Audit Phase: V-DIG (Digital Forensics / Technology Supply Chain)
Target: John Lewis Partnership (JLP) — encompassing John Lewis department stores and Waitrose & Partners supermarkets
Date: 2026-05-01
JLP’s most significant confirmed technology dependency is a £100 million, five-year strategic agreement with Google Cloud, signed in August 2023 and running to approximately 2028.12 The partnership covers migration of JLP’s e-commerce platforms, development of a pan-Partnership loyalty programme, and broader digital infrastructure modernisation. Google Cloud is a US-headquartered company; its relevance to this audit is addressed under the Cloud Infrastructure section below in relation to Project Nimbus.
Google Cloud is also referenced in published enterprise case study material as among organisations deploying generative AI capabilities at scale, with JLP cited among enterprise customers in Google’s own published materials.3
In 2024, Wipro, an Indian multinational systems integrator, publicly confirmed the extension of its relationship with JLP to complete JLP’s cloud transformation project on Google Cloud Platform.4 Wipro is the confirmed primary implementation partner for this migration. No public evidence has been found that Wipro mandated or deployed Israeli-origin technology as a specific component of this JLP engagement.
Adaptavist, a UK/Canadian firm specialising in Atlassian ecosystem tooling, published a case study confirming a relationship with JLP covering Jira and Confluence platform management.5 No Israeli-origin technology component has been identified in this engagement.
A blog post authored by a confirmed JLP software engineer (Craig Morten) on the DEV Community platform explicitly describes using Snyk to identify and remediate Node.js module vulnerabilities within JLP’s codebase.6 Snyk was co-founded in Tel Aviv in 2015 and maintains R&D operations in Israel, though its headquarters are in New York and London. This constitutes practitioner-level evidence of tool use within JLP’s engineering practice; it does not confirm an enterprise-wide licensing agreement. The nature and current scope of any formal JLP–Snyk relationship is not publicly documented.
The following Israeli-origin cybersecurity vendors were asserted in prior research to be deployed at JLP: Check Point, Wiz, SentinelOne, CyberArk, and Aqua Security. After review, no corporate press releases, JLP annual reports, procurement records, or verified journalism independently confirm a named licensing or deployment relationship between JLP and any of these five vendors. The sources originally cited for these claims do not reference JLP and do not constitute evidence of a JLP relationship. These claims are accordingly excluded from this audit as unverified.
Similarly, Monday.com (Tel Aviv-headquartered project management SaaS) was asserted as an in-use JLP tool. The Adaptavist case study cited in support references Atlassian tooling, not Monday.com. No independently verifiable JLP–Monday.com relationship has been found, and this claim is excluded as unverified.
AppsFlyer (Israeli mobile attribution company, HQ Herzliya) was also asserted as in use by JLP. The Waitrose cookie and privacy disclosures78 do not name AppsFlyer in the version reviewed for this audit. This claim requires live-source confirmation and is not included as a verified finding.
Publicis Sapient is known from trade press to have engaged with JLP on digital transformation work; however, no public evidence has been found documenting specific Israeli-origin vendor deployments as part of any JLP–Publicis Sapient engagement. This relationship is noted as partial and unconfirmed at the technology-stack level.
The confirmed enterprise technology architecture centres on the Google Cloud platform, implemented through Wipro as integrator, with Atlassian tooling managed through Adaptavist. Annual report disclosures9 provide the corporate governance context for JLP’s technology investment programme but do not disclose a granular vendor list. The confirmed and verifiable Israeli-origin technology relationships within JLP’s enterprise stack, beyond the Google Cloud co-customer relationship addressed below, are limited to practitioner-level evidence of Snyk use and the time-limited Cimagine AR partnership addressed under the R&D section.
JLP is a confirmed member of Project Pegasus, a public-private retail crime intelligence partnership between major UK retailers and the OPAL (Organised and Prolific crime team) unit within the National Police Chiefs’ Council (NPCC), publicly launched in 2023.1011 The scheme involves a consortium of major retailers — confirmed to include JLP — contributing collective funding (the total retailer consortium contribution is cited at £840,000 across participating members) to enable retailers to submit CCTV footage to police analysts, who run images against the Police National Database for biometric matching.12
A legal analysis of the scheme describes its mechanism as enabling structured information sharing between the retail sector and law enforcement, with facial recognition matching performed on police infrastructure funded in part by the retailer consortium.13 This constitutes indirect deployment of state facial recognition infrastructure, with JLP as a contributing funder and image-supplying participant.
Big Brother Watch publicly wrote to major UK retailers in October 2023, explicitly naming JLP among the Project Pegasus participants and urging withdrawal from the scheme on civil liberties grounds, characterising it as enabling an “authoritarian” expansion of police facial recognition capability.14 The Guardian covered both the retailer campaign and the civil society response.15 A subsequent Guardian report in April 2024 documented the UK government’s commitment of £55 million for facial recognition tools in England and Wales, providing broader policy context for the scheme in which JLP participates.16
No public JLP response to the Big Brother Watch open letter has been identified.
Parliamentary-level scrutiny of live facial recognition in retail contexts was documented in a House of Lords committee correspondence dated November 2024, which addressed Project Pegasus specifically.17 This elevates the scheme to the level of parliamentary oversight.
Auror, a New Zealand-headquartered retail crime intelligence platform, is confirmed as in use by JLP/Waitrose. This is consistent with Auror’s UK market expansion and confirmed by Reveal Media’s published integration announcement, which documents Auror’s deployment in UK retail alongside body-worn camera technology.18 Auror’s Subject Recognition (ASR) product — a named facial recognition feature — is documented in Auror’s own published materials and in trade press.1920
The ASR product enables retailers to identify individuals flagged as known high-risk threats upon store entry. However, the underlying facial recognition technology vendor powering ASR is not publicly disclosed in Auror’s trust centre materials. Claims in prior research that Auror integrates with Oosto (formerly AnyVision) or Corsight AI (both Israeli-origin companies) have not been independently verified from available sources and are excluded from this audit. The Oosto/AnyVision entity’s history of West Bank surveillance controversy — including the Microsoft divestment episode reported in 2021 — is a matter of public record, but no confirmed integration with Auror has been established.
No public evidence of JLP deploying Facewatch facial recognition technology has been identified. The Southern Co-op’s Facewatch deployment is publicly documented but involves a different retailer.
Claims that Waitrose deploys Trax Retail shelf-edge cameras have not been verified. The only source cited in prior research is a Trax Retail blog post commenting on the Waitrose Shopic trial in general retail AI terms; this is third-party commentary and does not constitute a procurement record. Trax fundraising articles do not name Waitrose as a customer.2122 This claim is excluded as unverified.
Two pathways by which facial recognition capability reaches JLP without direct procurement have been identified:
JLP has no known direct participation in Project Nimbus. Project Nimbus is a contract between the Israeli government and Google Cloud and Amazon Web Services, announced in 2021 and valued at approximately $1.2 billion, providing cloud infrastructure and AI services to Israeli government ministries and the Israel Defense Forces.2324
JLP is a Google Cloud enterprise customer under a separately contracted commercial agreement.12 JLP is not a party to, nor a named sub-contractor under, Project Nimbus. The relationship is that of a co-customer of the same cloud provider, not a participant in Israeli government cloud infrastructure.
The significance of this relationship to the present audit lies in the following: JLP’s £100m Google Cloud agreement consolidates a substantial dependency on Google as its primary technology infrastructure provider. Google Cloud workers’ protests over Project Nimbus (April 2024), including the dismissal of employees following protest actions, are publicly documented2324 and reflect ongoing internal and external scrutiny of Google’s obligations to the Israeli government under that contract. This provides the civil society and reputational context for JLP’s primary cloud relationship, even though JLP’s own contractual position is separate.
JLP’s Google Cloud agreement is expected to utilise UK and/or EU data regions for GDPR compliance purposes,12 though specific data residency terms are not publicly disclosed. No public evidence has been identified that JLP operates, leases, or co-locates data centre infrastructure within Israel.
No public evidence has been identified that JLP provides cloud services, data sovereignty services, or any technology-as-a-service capability marketed or contracted to Israeli state institutions, military bodies, or security agencies. JLP is a UK retail and financial services operator and does not publicly offer cloud or data services to external government customers of any nation.
No public evidence has been identified of any contract, partnership, or service agreement between JLP and the Israeli Ministry of Defence, the Israel Defense Forces, or Israeli intelligence agencies. Source classes reviewed include JLP annual reports, Companies House filings, NPCC and UK government procurement portals, trade press, and defence contractor directories. No evidence of such relationships has been found.
No public evidence has been identified that JLP’s commercially available technology has been reported as deployed for military, intelligence, or law enforcement surveillance within Israel or occupied territories. JLP’s retail technology deployments (CCTV, Auror, Project Pegasus) are domestic UK in orientation.
No public evidence identified. This section is not applicable to JLP’s commercial profile as a UK retail and financial services operator. JLP has no known cyber-offensive capability development programme.
JLP’s confirmed AI deployments are commercially oriented and domestic in scope:
No public evidence identified of JLP providing AI, ML, computer vision, or autonomous decision-support systems to Israeli state, military, or security bodies.
No public evidence identified of JLP AI models being trained on surveillance-derived datasets from Israel or occupied territories.
No public evidence identified. Not applicable to JLP’s commercial profile.
No public evidence has been identified that JLP operates R&D facilities, engineering offices, or accelerator programmes within Israel.
JLP entered a commercial partnership with Cimagine, an Israeli augmented reality startup, to power the “Virtual Sofa” feature in the John Lewis iOS app.2829 This relationship was confirmed by ISRAEL21c reporting (2015) and Mobile Marketing Magazine (2016). This was a commercial licensing arrangement, not an acquisition by JLP. Cimagine was subsequently acquired by Snap Inc. in late 2016/early 2017. JLP did not acquire Cimagine; JLP was a customer and commercial partner.
This relationship is pre-2020 and the Cimagine entity no longer exists independently, having been absorbed by Snap. Whether JLP continues to use Snap-inherited AR technology for in-app furniture visualisation, and under what commercial terms, is not documented in available public sources.
JLP operated a retail technology accelerator programme (JLAB) from approximately 2013 through to its discontinuation. A 2018 The Drum article documents the shortlisting of six startups for the JLAB programme.30 Whether Israeli-origin startups — including Oriient, an Israeli indoor positioning company cited in prior research — were specifically shortlisted through JLAB requires live-source confirmation and is not established from available sources.
No public evidence identified of patent portfolios, licensing agreements, or co-development arrangements between JLP and Israeli-domiciled research institutions (Technion, Hebrew University, Weizmann Institute). Source classes checked include the European Patent Office public database and UK Intellectual Property Office records.
The Shopic smart trolley trial represents the most direct and current confirmed commercial engagement between a JLP operating division and an Israeli-origin technology company.2627 The trial is at pilot scale (one confirmed store location, August 2025 reporting). Third-party commentary from Trax Retail’s blog discusses the trial in a broader retail AI context22 but does not constitute evidence of a separate Trax–Waitrose commercial relationship.
Big Brother Watch has been the most active civil society organisation in scrutinising JLP’s technology relationships:
No NGO reports specifically addressing JLP’s technology relationships with the Israeli state or occupied territories have been identified. Source classes reviewed include Privacy International, Amnesty International, Human Rights Watch, Who Profits (Israeli NGO), and Visualising Palestine.
A House of Lords committee correspondence dated 4 November 2024 addressed the deployment of live facial recognition technology in retail contexts, referencing Project Pegasus specifically.17 This document constitutes parliamentary-level scrutiny of the scheme in which JLP participates as a confirmed member, elevating the accountability dimension of this relationship beyond NGO and press coverage.
The Guardian’s coverage in October 2023 reported on civil society pressure on Project Pegasus retailers, naming JLP.15 Subsequent April 2024 coverage documented the UK government’s £55 million facial recognition investment in England and Wales, contextualising Project Pegasus within a broader state surveillance expansion.16 The Guardian also reported in April 2024 on Google Cloud workers’ protests over Project Nimbus and subsequent dismissals,2324 providing reputational context for JLP’s primary cloud provider relationship.
No organised BDS or technology-specific divestment campaign specifically targeting JLP’s technology vendor relationships — as distinct from product or brand-level boycott activity — has been identified in available sources. Source classes checked include the BDS Movement official website, Palestine Solidarity Campaign (UK), and War on Want campaign records. JLP has been subject to broader consumer boycott activity related to the Gaza conflict (2023–present) common to many UK retailers, but no campaign specifically citing JLP’s technology supply chain has been publicly documented.
No regulatory inquiries, legal challenges, export control actions, or sanctions-related investigations involving JLP’s technology sales or services to Israeli state entities have been identified. The UK Information Commissioner’s Office has engaged broadly with facial recognition in retail — notably in the context of the Southern Co-op/Facewatch deployment — but no ICO action specifically naming JLP has been identified. Source classes reviewed include the ICO enforcement register, Companies House, UK government procurement portals, and relevant parliamentary committee records.
The following areas represent material gaps in the publicly available evidence base that would bear on a more complete assessment:
https://www.johnlewispartnership.co.uk/media-centre/latest-news/2023/17387 ↩↩↩↩
https://www.prnewswire.com/news-releases/john-lewis-partnership-accelerates-technology-transformation-with-100m-agreement-with-google-cloud-301896475.html ↩↩↩↩
https://cloud.google.com/transform/101-real-world-generative-ai-use-cases-from-industry-leaders ↩↩
https://www.wipro.com/newsroom/press-releases/2024/wipro-extends-relationship-with-the-john-lewis-partnership-to-complete-cloud-transformation-project/ ↩
https://www.adaptavist.com/case-studies/john-lewis ↩
https://dev.to/craigmorten/how-to-use-snyk-for-fixing-node-module-vulnerabilities-5b5b ↩
https://www.waitrose.com/ecom/help-information/website-cookies ↩
https://www.johnlewispartnership.co.uk/legal/privacy-notice.html ↩
https://www.johnlewispartnership.co.uk/investors/annual-reports.html ↩
https://nbcc.police.uk/news/project-pegasus-to-improve-information-sharing-between-police-and-retailers ↩↩
https://news.npcc.police.uk/releases/partnership-to-crack-down-on-shoplifting ↩↩
https://www.biometricupdate.com/202309/uk-police-retailers-partner-to-fight-shoplifting-with-biometrics ↩↩
https://www.weightmans.com/media-centre/news/retail-violence-government-launches-project-pegasus/ ↩
https://bigbrotherwatch.org.uk/2023/10/big-brother-watch-writes-to-major-uk-retailers-urging-them-to-withdraw-from-project-pegasus/ ↩↩
https://www.theguardian.com/technology/2023/oct/28/major-uk-retailers-urged-to-quit-authoritarian-police-facial-recognition-strategy ↩↩
https://www.theguardian.com/business/2024/apr/10/shoplifting-crackdown-to-include-55m-for-facial-recognition-tools-in-england-and-wales ↩↩
https://committees.parliament.uk/publications/45526/documents/225393/default/ ↩↩
https://www.revealmedia.co.uk/articles/announcing-the-auror-product-integration ↩
https://www.biometricupdate.com/202511/auror-launches-facial-recognition-tool-for-retail-crime-prevention-and-safety ↩↩
https://traxretail.com/media/retail-intelligence-company-trax-raises-125-million-brings-cameras-supermarket-shelves/ ↩
https://www.traxtech.com/ai-in-supply-chain/waitroses-ai-shopping-trolleys-signal-a-retail-revolution-for-supply-chain-intelligence ↩↩
https://www.theguardian.com/technology/2024/apr/16/google-workers-protest-project-nimbus-israel-contract ↩↩↩
https://www.theguardian.com/technology/2024/apr/18/google-fires-workers-israel-contract-protest ↩↩↩
https://retail-systems.com/rs/Waitrose_To_Trial_AI_Powered_Employee_App_As_Part_Of_Largest_Ever_Tech_Investment.php ↩
https://retailtechinnovationhub.com/home/2025/8/29/waitrose-taps-shopic-tech-as-grocery-retailer-kicks-off-smart-cart-and-frictionless-payment-trial ↩↩
https://www.retailgazette.co.uk/blog/2025/08/waitrose-ai-smart-trolley/ ↩↩
https://www.israel21c.org/john-lewis-partners-with-cimagine/ ↩
https://mobilemarketingmagazine.com/john-lewis-had-added-a-virtual-sofa-augmented-reality-feature-to-its-ios-app/ ↩
https://www.thedrum.com/news/john-lewis-shortlists-six-more-startups-retail-tech-accelerator-programme ↩
https://bigbrotherwatch.org.uk/campaigns/stop-facial-recognition/ ↩
