Audit Phase: V-DIG (Digital Forensics / Technology Supply Chain)
Target Company: PepsiCo, Inc. (NASDAQ: PEP)
Audit Date: 2026-05-01
Analyst Note: This audit is based exclusively on the attached research memo. All claims are drawn from verified public sources identified therein. Where evidence is absent, that absence is stated explicitly. No scores, tiers, or numerical ratings are assigned.
PepsiCo has publicly documented strategic cloud partnerships with three major U.S.-based hyperscale providers. Microsoft Azure was selected as PepsiCo’s preferred cloud provider around 2020 and serves as the primary cloud platform for enterprise workloads.1 Google Cloud was engaged for supply chain AI and analytics applications, with a documented partnership dating to approximately 2022.2 AWS is referenced in case study materials from 2021–2022 as a complementary cloud relationship.3 None of these vendors are of Israeli origin.
PepsiCo undertook a major ERP transformation based on SAP S/4HANA, referenced in trade and technology press across 2021–2023.4 SAP is a German-origin company. No Israeli-origin software forms any part of the disclosed ERP or core enterprise application stack.
Trax Retail is the sole Israeli-origin technology vendor for which a confirmed, named commercial relationship with PepsiCo has been identified in public sources.5 6 Trax was founded in Israel and maintains co-headquarters in Singapore and Tel Aviv. Its platform deploys computer vision and AI-based image recognition to perform in-store shelf monitoring, planogram compliance verification, and retail execution analytics. PepsiCo’s use of Trax for these functions was documented in Trax’s own customer-facing materials and in consumer goods trade press between approximately 2019 and 2021.5 6 The functional scope of the deployment is commercial retail operations — specifically, automated analysis of product placement on store shelves — and it is not characterised in any public source as embedded in core enterprise infrastructure, financial systems, or network security architecture. Whether this relationship continued, expanded, or was terminated after 2022 is not confirmed in any available public source. This constitutes a material evidence gap for current-state assessment.
The following Israeli-origin or Israeli-co-founded vendors were investigated. No named PepsiCo contract, integration, deployment, or licensing agreement was identified for any of them in SEC filings, ESG reports, vendor customer-reference pages, or trade press:
PepsiCo does not publish its cybersecurity vendor stack in any public filing, ESG report, or press release. The absence of named relationships for the above vendors reflects the limits of available public disclosure, not a confirmed absence of any relationship. Procurement records sufficient to close this gap are not publicly available for a private enterprise of this type.
PepsiCo’s digital transformation is understood in general industry coverage to involve major integrators including Accenture and IBM, neither of which is Israeli-origin. No public evidence was identified of a systems integrator mandating or deploying specifically Israeli-origin technology as part of a PepsiCo engagement. Sub-vendor selections by integrators are not publicly disclosed, leaving a residual evidence gap for indirect technology exposure.
No public evidence was identified of PepsiCo deploying facial recognition, biometric identification (iris, fingerprint, or voice), gait analysis, or behavioural analytics technology of Israeli origin in any operational context — whether in manufacturing plants, distribution facilities, corporate campuses, or retail environments. Specifically, no deployments of Israeli-origin vendors including AnyVision (now Oosto), BriefCam (a Canon subsidiary with Israeli origins), or comparable platforms were identified. No public evidence identified.
Trax’s shelf-analytics platform, for which a PepsiCo relationship is documented,5 6 employs computer vision and AI object detection. The disclosed function of this technology is analysis of product placement on retail store shelves for commercial compliance purposes. It is not characterised in any public source as a workforce surveillance, consumer tracking, social media monitoring, or predictive policing instrument. The technology analyses product-level planogram compliance rather than individuals or personal data.
No public evidence was identified of PepsiCo using Israeli-origin sentiment analysis platforms, social media monitoring tools, workforce surveillance software, or employee behavioural monitoring systems. No public evidence identified.
No public evidence was identified of Israeli-origin surveillance technology reaching PepsiCo indirectly via managed security services, bundled enterprise software suites, or third-party platform integrations. No public evidence identified.
No public evidence was identified that PepsiCo operates, leases, co-locates, or maintains any data centre infrastructure within Israel. PepsiCo’s documented cloud infrastructure spans Microsoft Azure, Google Cloud, and AWS — all U.S.-headquartered platforms.1 2 3 PepsiCo has no disclosed sovereign cloud arrangements with Israeli government-aligned cloud infrastructure. No public evidence identified.
Project Nimbus is an Israeli government contract awarded jointly to Google Cloud and Amazon Web Services, announced in 2021 and confirmed in 2022. PepsiCo is a commercial enterprise customer of both Google Cloud and AWS.2 3 However, PepsiCo is a consumer packaged goods company — a technology consumer, not a technology provider or cloud sub-contractor. There is no credible structural mechanism by which PepsiCo, as a CPG customer of these platforms, would itself be a participant in, or sub-contractor under, Project Nimbus. PepsiCo’s consumption of Google Cloud or AWS services does not constitute participation in or material support for Project Nimbus. No public evidence identified of any PepsiCo role in Project Nimbus or any equivalent Israeli government sovereign cloud programme.
PepsiCo does not provide cloud infrastructure, platform, or software services to external third parties as a business line. It is a technology consumer. There is no disclosed mechanism by which PepsiCo’s data residency decisions would create downstream exposure for third-party data subjects in relation to Israeli state access regimes. No public evidence identified.
PepsiCo is a food, beverage, and snack manufacturing conglomerate. It does not operate as a defence contractor, intelligence contractor, or dual-use technology provider. No public evidence was identified of any contract, service agreement, memorandum of understanding, or commercial relationship between PepsiCo and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), Shin Bet, Mossad, or any Israeli government intelligence or security body. No public evidence identified.
No public evidence was identified of any PepsiCo commercial technology — including the Trax shelf-analytics deployment — being reported, documented, or confirmed as deployed for military, intelligence, law enforcement surveillance, or border control purposes in Israel or in occupied territories. No public evidence identified.
PepsiCo has no publicly known involvement in the development, sale, licensing, or export of offensive cyber capabilities, zero-day exploit research, signals intelligence tools, or digital weapons systems. No public evidence identified.
PepsiCo was the subject of a data breach notification filed with the Maine Attorney General in January 2023, relating to an internal network intrusion affecting employee-related data.15 In July 2023, the hacking group SiegedSec claimed a separate intrusion against PepsiCo systems.16 These incidents involve PepsiCo as a victim of cyber-intrusion, not as a technology provider to state or military bodies. They are noted here for completeness regarding the company’s cybersecurity posture; they do not constitute defence or intelligence sector technology relationships.
PepsiCo uses AI and machine learning internally for supply chain optimisation, demand forecasting, and retail analytics, primarily through its documented Google Cloud partnership.2 These are commercial operational functions. There is no public evidence of PepsiCo providing, licensing, or selling AI or ML systems or outputs to Israeli state, military, law enforcement, or security agencies. No public evidence identified.
No public evidence was identified of PepsiCo AI or ML models being trained on civilian population data, intercepted communications data, biometrically derived datasets, or surveillance-derived data originating from Israel or occupied Palestinian territories. No public evidence identified.
PepsiCo has no publicly known provision of autonomous targeting systems, automated threat detection platforms, lethal autonomous weapons components, or autonomous tracking systems to any military or security force, Israeli or otherwise. No public evidence identified.
PepsiCo’s disclosed AI use cases — supply chain optimisation, shelf analytics via Trax, demand forecasting — do not implicate algorithmic decision-making over individuals in the sense scrutinised by human rights due diligence frameworks (i.e., predictive policing, credit scoring, asylum processing, targeted lethal operations). No civil society or regulatory body has published an accountability assessment of PepsiCo’s AI/algorithmic systems in relation to Israeli state engagement. No public evidence identified.
PepsiCo does not maintain a dedicated software engineering office, technology R&D centre, or innovation laboratory in Israel as a standalone PepsiCo entity. No public evidence — including PepsiCo corporate website listings, Israeli technology ecosystem directories, or job posting data — was identified confirming the existence of a PepsiCo technology-focused R&D presence in Israel separate from SodaStream’s manufacturing operations. No public evidence identified for a technology-focused R&D footprint in Israel.
Following PepsiCo’s $3.2 billion acquisition of SodaStream International Ltd. in December 2018,17 PepsiCo operates SodaStream’s manufacturing and commercial operations in Israel. SodaStream’s primary Israeli manufacturing facility is located in Rahat, in the Negev region of Israel proper.18 This facility was relocated to Rahat from the Ma’ale Adumim (Mishor Adumim) industrial zone in the West Bank in 2015 — three years prior to PepsiCo’s acquisition.18
SodaStream is a consumer hardware and consumables company; its product domain is home carbonation appliances, CO₂ cylinders, and flavour syrups. It is not a software company, cybersecurity vendor, AI developer, or enterprise technology provider. The SodaStream acquisition therefore does not constitute PepsiCo’s entry into the Israeli technology sector as defined by this audit’s scope. However, it does establish PepsiCo as an operator of manufacturing assets on Israeli soil and as a corporate owner of an Israeli-headquartered subsidiary.17 19
No public evidence was identified of PepsiCo acquiring or making strategic investments in Israeli-origin software, cybersecurity, AI, cloud, or enterprise technology companies or venture funds, beyond the SodaStream acquisition (which falls outside the technology scope of this audit). No public evidence identified.
No public evidence was identified of significant patent portfolios, co-development programmes, or licensing arrangements between PepsiCo and Israeli-domiciled academic or research institutions, including the Technion, Hebrew University of Jerusalem, or Weizmann Institute of Science. PepsiCo’s patent activity is primarily concentrated in food science, packaging, beverage formulation, and manufacturing process engineering. No public evidence identified.
Who Profits Research Center (an Israeli-based NGO that profiles companies operating in occupied Palestinian territory) maintains documented research on SodaStream’s historical operations at the Mishor Adumim industrial zone in the West Bank, where SodaStream operated a factory prior to its relocation to Rahat in 2015.19 This documentation covers the period before PepsiCo’s ownership of SodaStream. The current status of any active Who Profits profile specifically targeting PepsiCo — as distinct from legacy SodaStream records — is not confirmed in available public sources.20
No NGO or academic report specifically addressing PepsiCo’s technology supply chain relationships with the Israeli state — including cybersecurity vendors, cloud infrastructure, AI systems, or surveillance tools — has been identified in available sources. Civil society scrutiny of PepsiCo in this domain has focused exclusively on the SodaStream consumer brand acquisition, not on enterprise IT procurement or digital supply chain exposure. No public evidence identified of technology-specific civil society audit activity targeting PepsiCo.
Following PepsiCo’s acquisition of SodaStream in 2018–2019, BDS-aligned campaigns publicly called for boycotts of PepsiCo consumer products, citing the acquisition as providing revenue and commercial legitimacy to an Israeli company with a historical record of West Bank factory operations.21 The primary documented basis for BDS targeting is SodaStream’s identity as an Israeli commercial brand with pre-2015 West Bank operational history, not PepsiCo’s enterprise technology procurement decisions.21
PepsiCo has not issued a public statement specifically addressing or responding to BDS demands related to the SodaStream acquisition in any filing, press release, or investor communication identified in available sources.22 23
In January–February 2014, Oxfam and SodaStream brand ambassador Scarlett Johansson publicly parted ways after Oxfam cited SodaStream’s continued operation of a factory in the occupied West Bank as incompatible with Oxfam’s humanitarian policy positions.24 This controversy significantly raised the public profile of SodaStream’s West Bank operations. It predates PepsiCo’s acquisition of SodaStream by approximately four years and concerns the consumer brand’s supply chain geography, not technology relationships.
No regulatory inquiries, legal challenges, export control enforcement actions, sanctions designations, or U.S. Treasury OFAC-related proceedings involving PepsiCo’s technology sales, services, or digital supply chain vis-à-vis Israel or Israeli entities have been identified in a review of available U.S. regulatory databases.25 PepsiCo is not listed on the OFAC Specially Designated Nationals list, nor is it the subject of any identified BIS export control action relating to its technology activities. No public evidence identified.
PepsiCo publishes an annual ESG Summary under its PepsiCo Positive (pep+) framework and maintains a Human Rights Policy accessible via its corporate sustainability reporting portal.26 27 These disclosures address supply chain labour standards, environmental impact, and human rights risk in agricultural supply chains. They do not contain specific disclosures regarding the company’s enterprise technology vendor relationships, cybersecurity supply chain, or digital ecosystem from a human rights or political risk perspective.
https://cloud.google.com/blog/topics/consumer-packaged-goods/pepsico-uses-google-cloud-to-optimize-supply-chain ↩↩
https://cloud.google.com/blog/topics/consumer-packaged-goods/pepsico-uses-google-cloud-to-optimize-supply-chain ↩↩↩↩
https://news.sap.com/ ↩
https://www.checkpoint.com/customers/ ↩
https://www.cyberark.com/customers/ ↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=sentinelone&type=10-K ↩
https://techcrunch.com/tag/wiz/ ↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=verint&type=10-K ↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=nice+systems&type=20-F ↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=palo+alto+networks&type=10-K ↩
https://claroty.com/customers/ ↩
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-819f-e490-c7ade2d9fae7/84a6e6e0-2f82-4b60-97e4-9a2a6b6efafe.html ↩
https://cybernews.com/news/pepsico-data-breach-siegedsec/ ↩
https://www.pepsico.com/news/press-release/pepsico-completes-acquisition-of-sodastream-for-approximately-32-billion12052018 ↩↩
https://www.theguardian.com/world/2015/sep/01/sodastream-west-bank-factory-closes ↩↩
https://whoprofits.org/ ↩
https://www.aljazeera.com/economy/2019/1/1/bds-activists-target-pepsico-over-sodastream-acquisition ↩↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000077476&type=10-K&dateb=&owner=include&count=40 ↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000077476&type=8-K&dateb=&owner=include&count=40 ↩
https://www.theguardian.com/world/2014/jan/29/scarlett-johansson-oxfam-sodastream-israel ↩
https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists ↩
https://www.pepsico.com/our-impact/esg-topics-a-z/esg-summary ↩
https://www.pepsico.com/our-impact/esg-topics-a-z/human-rights ↩
