Audit Phase: V-DIG
Audit Date: 2026-05-01
Entity: Waitrose & Partners, a trading division of the John Lewis Partnership (JLP)
JLP announced a five-year, approximately £100 million (~$127 million) strategic partnership with Google Cloud in 2023 16. This is the most extensively documented and significant technology relationship in the public record for JLP and Waitrose. The confirmed scope includes:
JLP was prominently featured in Google Cloud’s Next ’23 announcements as a flagship enterprise partnership 5. Multiple Google Cloud blog posts and JLP technology team interviews describe the migration of platform engineering functions to Google Cloud infrastructure 24. This constitutes deep, critical-infrastructure-level integration — not a peripheral or tactical engagement.
The prior research identifies four Israeli-origin or Israeli-founded cybersecurity vendors as active within JLP’s security architecture. The evidentiary basis for each is assessed individually below.
Check Point Software Technologies: Cited evidence consists of JLP job postings on a third-party aggregator platform 18 listing “Check Point CCSA/CCSE” certifications as requirements for security engineering roles. No corporate press release, vendor case study, or primary procurement record naming Check Point as a JLP/Waitrose vendor has been identified. The inference that certification requirements in job postings constitute active enterprise deployment is plausible but not conclusively evidenced by a primary source.
SentinelOne: The same job-aggregator source describes SentinelOne EDR as “critical security tooling” within a JLP Senior Information Security Engineer role 18. This is consistent with SentinelOne’s known positioning as an endpoint security platform and with its documented partnership with CyberArk 11, but no primary JLP press release or vendor case study confirming active deployment has been identified. Claim is plausible but unverified by primary source.
CyberArk: CyberArk is confirmed as an Israeli-founded privileged access management (PAM) company headquartered in Petah Tikva, Israel, and Newton, Massachusetts 10. The prior research cites JLP’s CISO Carole Drape and BISO James Turrell as speakers at CyberArk-associated events, with a 2020 Evanta CISO summit listing 18 and a Pulse Conferences CISO 360 speaker listing 19 as cited evidence. If accurate, these indicate a vendor-level relationship as of approximately 2020. However, speaker-listing pages are not procurement records and change over time. The currency of any CyberArk–JLP relationship post-2020 is unknown. This represents the strongest, though still indirect, public signal of an Israeli-origin security vendor relationship at JLP.
Palo Alto Networks: Cited alongside Check Point in the same job-aggregator source 18. Same evidentiary caveats apply. Plausible but unverified by primary source.
Wiz: No direct JLP or Waitrose procurement relationship with Wiz has been identified. The prior research advances an ecosystem-inference argument: because JLP uses Google Cloud extensively, and Wiz (acquired by Google/Alphabet in 2025) integrates closely with Google Cloud environments, JLP’s environment may be proximate to Wiz tooling. This is an inference, not an evidenced relationship. No public evidence identified of a direct Wiz contract with JLP/Waitrose. Auditors should note the materiality of the Google acquisition context but not treat proximity as confirmation.
Claroty: The prior research asserts Claroty secures JLP’s operational technology (OT) and ICS environment at automated distribution centres, citing Hai Robotics and Logistex sources 78 as contextual grounding. No primary source — case study, press release, or procurement record — naming Claroty as a JLP/Waitrose vendor has been identified. The claim derives entirely from inference about industry norms (Claroty being a common OT security partner in automated warehouse environments). Per audit evidentiary standards, this inference is not accepted. No public evidence identified of a direct Claroty–JLP relationship.
NICE / Verint: No public evidence identified of any licensing, subscription, or integration relationship between JLP/Waitrose and NICE Systems or Verint. Source classes checked: corporate press releases, trade press, prior research.
Publicis Sapient: JLP’s relationship with Publicis Sapient as a digital transformation partner is documented across multiple public sources, including a Publicis Sapient–Google Cloud joint announcement of a Retail Media Network Accelerator 12 and composable commerce documentation referencing JLP. The relationship appears active as of 2023–2024.
Publicis Sapient / Quicklizard: Publicis Sapient announced a strategic partnership with Quicklizard, an Israeli-founded AI-driven dynamic pricing platform, documented in a formal press release 13. However, no evidence has been identified that Publicis Sapient has deployed Quicklizard specifically within JLP or Waitrose. The Publicis Sapient–Quicklizard partnership is confirmed; any JLP application is not. This constitutes a potential third-party pathway for Israeli-origin technology to reach JLP/Waitrose that requires active monitoring but cannot be treated as confirmed.
Headforwards: The Cornwall-based software consultancy published a case study describing delivery of a JLP mobile application 14. No Israeli-origin technology involvement was identified in this engagement.
Logistex: JLP engaged Logistex as the systems integrator for its Hai Robotics autonomous mobile robot deployment at the Fenny Lock, Milton Keynes distribution centre 78. Logistex is a UK-based warehouse automation integrator. No Israeli-origin technology involvement has been identified in this specific engagement.
Hai Robotics: Hai Robotics is a Chinese-founded autonomous case-handling robot manufacturer. Its deployment within JLP’s distribution infrastructure is well-documented 78. No Israeli-origin technology involvement identified in this relationship.
The entirety of the cybersecurity vendor claims (Check Point, SentinelOne, CyberArk, Palo Alto) rests on a single ephemeral job-aggregator page and two conference speaker listings. JLP does not publicly disclose its security vendor roster — standard practice for security reasons. These relationships can neither be confirmed nor denied from available primary sources. JLP’s annual reports ([^21]) should be manually reviewed by auditors for technology partner disclosures, as they were not retrievable in this research session.
Waitrose’s published Privacy Notice explicitly states that it does not use facial recognition technology 9. This is a primary-source corporate disclosure and the most direct available evidence regarding Waitrose’s position on biometric surveillance.
The prior research cites two trade press articles — from Retail Gazette and Retail Tech Innovation Hub, both reportedly dated August 2025 — describing a Waitrose trial of Shopic smart trolleys at its Bracknell store 20. These reports could not be independently retrieved via live search in this session and are therefore cited but unverified by independent retrieval.
Shopic is confirmed as an Israeli-founded company. Its co-founders, Eran Kravitz and Raz Golan, have disclosed military and technology-unit backgrounds, consistent with the broader pattern of Israeli retail-tech founders with IDF Unit 8200 or equivalent experience 20. Shopic’s technology involves computer-vision-based item recognition to enable frictionless checkout — it identifies products, not individuals. If the reported Waitrose trial is accurate as characterised, this would be consistent with Waitrose’s stated non-use of facial recognition technology (product recognition ≠ identity recognition). The trial’s data practices, contractual terms, and current status (whether concluded or expanded) cannot be verified from available sources.
No public evidence identified of any current or past contractual relationship between Waitrose/JLP and Facewatch, the UK facial recognition firm active in grocery retail. The sector context is material: Big Brother Watch filed an ICO complaint in 2022 regarding Facewatch deployment by the Southern Co-op 15, and UK government funding of £55 million for facial recognition tools in retail was announced in April 2024 16. These represent sector-level risk vectors. Competitors including Southern Co-op and Budgens have deployed Facewatch; no evidence places Waitrose in this group.
No public evidence identified of Waitrose/JLP deploying Israeli-origin predictive analytics, social media monitoring, sentiment analysis, or workforce surveillance tools.
No public evidence identified that Waitrose or JLP operates, leases, or co-locates any data centre infrastructure within Israel. JLP’s cloud strategy is anchored to Google Cloud, with infrastructure residing in Google’s European and UK regions as described in partnership documentation 124. Waitrose has no identified retail operations within Israel, which substantially reduces the probability of any in-country infrastructure presence.
No public evidence identified that Waitrose or JLP participates in Project Nimbus or any comparable Israeli state-backed digital infrastructure programme. Project Nimbus’s primary contractors are Amazon Web Services and Google Cloud as cloud service providers; JLP is a downstream enterprise customer of Google Cloud, not a party to government cloud contracting of this nature. Source classes checked: Project Nimbus contractor lists as publicly reported, press coverage, prior research.
No public evidence identified. Waitrose is a retail consumer of cloud services, not a cloud service provider. No evidence has been identified of Waitrose marketing, selling, or contracting data sovereignty or infrastructure resilience services to any Israeli state institution, military body, or government agency.
JLP’s Google Cloud migration documentation references Google Cloud’s platform engineering stack and Kubernetes-based application infrastructure 24. No evidence has been identified of data flows routed through Israeli-hosted infrastructure or of Israeli data residency commitments of any kind.
No public evidence identified of any contract, partnership, or service agreement between Waitrose/JLP and the Israeli Ministry of Defence, Israel Defense Forces (IDF), Israeli intelligence agencies (Mossad, Shin Bet, Unit 8200), or other Israeli state security bodies. Waitrose is a domestic UK grocery retailer with no identified defence or intelligence sector customer relationships of any kind.
No public evidence identified that any Waitrose or JLP technology, platform, dataset, or service has been reported, confirmed, or documented as deployed for military, intelligence, or law enforcement surveillance purposes within Israel or in the occupied Palestinian territories.
No public evidence identified. JLP/Waitrose has no identified involvement in the development, licensing, or sale of offensive cyber tools, zero-day exploit frameworks, or digital weapons systems. This category is assessed as not applicable to a grocery retail company operating solely in UK consumer markets.
The CyberArk speaker-listing evidence 1819, if taken at face value, indicates a historical relationship with an Israeli-headquartered security vendor whose products are widely deployed in defence and intelligence environments globally. This is a standard commercial cybersecurity relationship and does not constitute a defence or intelligence sector technology relationship for Waitrose itself.
No public evidence identified that Waitrose/JLP provides AI, machine learning, computer vision, or autonomous decision-support systems to Israeli state, military, or security bodies.
JLP’s AI activity is documented as wholly consumer- and operations-facing:
No public evidence identified of JLP’s AI models or platforms being trained on, or granted access to, civilian population data from Israel or the occupied Palestinian territories. JLP’s Vertex AI usage is documented as operating on JLP’s own retail and customer data within its Google Cloud environment 34.
Not applicable. No public evidence identified. JLP/Waitrose has no identified involvement in autonomous weapons, lethal autonomous systems, or military robotics development.
No public evidence identified that Waitrose or JLP operates any research and development facility, engineering office, innovation laboratory, or technology accelerator programme within Israel. JLP’s technology function operates from UK-based offices; its primary development partners (Headforwards, Publicis Sapient) are UK and US entities respectively 1214.
No public evidence identified of any acquisition of an Israeli-origin technology company by JLP/Waitrose, or of any strategic investment by JLP/Waitrose in Israeli technology startups, venture capital funds, or corporate venture programmes with Israeli exposure.
No public evidence identified of patent portfolios, co-development licensing arrangements, or joint research agreements between JLP/Waitrose and Israeli-domiciled entities or Israeli research institutions (Technion, Hebrew University, Weizmann Institute). Source classes checked: training-data patent database coverage and corporate disclosures.
JLP’s documented investment in warehouse automation — including Hai Robotics systems at Fenny Lock 78 and KNAPP logistics systems cited in the prior research 17 — represents significant capital deployment in automated fulfilment infrastructure. Neither Hai Robotics nor KNAPP is Israeli-origin. The systems integrator (Logistex) is UK-based. No Israeli-origin technology involvement has been identified in JLP’s warehouse automation stack from available sources.
Headforwards’ documented app development engagement 14 and Publicis Sapient’s broader digital transformation role 12 represent JLP’s principal identified external development partners. JLP’s engineering team has published technical content on its Google Cloud adoption 24, suggesting a meaningful internal platform engineering capability. No Israeli-origin tooling is identified in these public technical disclosures.
No public evidence identified of published NGO investigations, academic studies, or UN reports specifically addressing Waitrose’s technology relationships with the Israeli state, Israeli-origin vendors, or operations in occupied territories. The absence of such reports may reflect genuine absence of relationships meeting civil society investigation thresholds, or it may reflect a gap in civil society research attention to UK grocery retail technology procurement specifically.
Big Brother Watch has published extensively on retail facial recognition deployment in the UK, including its 2022 ICO complaint regarding Facewatch and Southern Co-op 15, and tracks the government’s £55 million commitment to retail facial recognition tools 16. No Waitrose-specific investigation or complaint has been identified in Big Brother Watch’s published record. The ICO enforcement register has not produced any Waitrose technology-related enforcement action connected to Israeli vendor relationships or biometric surveillance.
No public evidence identified of organised BDS campaigns specifically targeting Waitrose’s technology procurement. Waitrose has been subject to consumer pressure regarding the stocking of Israeli food products, but this falls outside the V-DIG domain scope and is not assessed here. No technology-specific divestment campaign targeting Waitrose has been identified in publications from the BDS Movement, Palestine Solidarity Campaign UK, or War on Want.
No public evidence identified of any regulatory inquiry, export control action, sanctions-related investigation, legal challenge, or ICO enforcement action involving Waitrose/JLP’s technology sales or services to Israeli state entities or in connection with Israeli-origin vendor relationships. Source classes checked: ICO enforcement register, UK Companies House, trade press.
The UK government’s April 2024 announcement of £55 million in funding for facial recognition tools directed at retail shoplifting reduction 16 establishes a policy environment that may increase uptake of biometric surveillance across the grocery sector. Waitrose’s current privacy notice denial of facial recognition use 9 would need ongoing verification against this policy backdrop. No evidence of changed practice has been identified.
https://www.pymnts.com/news/retail/2023/united-kingdom-retailer-john-lewis-launches-127-million-dollar-google-cloud-partnership/ ↩↩
https://cloud.google.com/blog/products/application-development/simplifying-platform-engineering-at-john-lewis-part-two ↩↩↩↩↩
https://cloud.google.com/transform/101-real-world-generative-ai-use-cases-from-industry-leaders ↩↩↩
https://www.thestack.technology/john-lewis-data-transformation-interview/ ↩↩↩↩↩↩↩
https://www.googlecloudpresscorner.com/2023-08-29-Google-Cloud-Kicks-Off-Next-23-with-a-New-Way-to-Cloud ↩↩
https://www.just-style.com/news/john-lewis-100m-google-cloud-deal-focuses-on-ai-customer-experience/ ↩
https://www.hairobotics.com/news/logistex-john-lewis-partnership-innovative-eco-friendly-warehouse-operations ↩↩↩↩↩
https://www.robotics247.com/article/headline_john_lewis_partnership_to_use_hai_robotics_systems_at_new_distribution_center_in_u.k_as_part_of_logistex_agreement ↩↩↩↩↩
https://www.waitrose.com/ecom/help-information/privacy-notice ↩↩
https://en.wikipedia.org/wiki/CyberArk ↩
https://www.cyberark.com/press/cyberark-and-sentinelone-team-up-to-enable-step-change-in-endpoint-and-identity-security/ ↩
https://www.publicissapient.com/news/publicis-sapient-collaborates-with-google-cloud-to-launch-retail-media-network-accelerator ↩↩↩
https://www.publicissapient.com/content/dam/ps-rebrand/ps-ventures-2024/PS-quicksilver-press-release.pdf ↩
https://www.headforwards.com/insights/case-studies/john-lewis-partnership-developing-a-new-app-for-leading-high-street-brand/ ↩↩↩
https://bigbrotherwatch.org.uk/wp-content/uploads/2022/07/Facewatch-Co-op-ICO-Complaint.pdf ↩↩
https://www.theguardian.com/business/2024/apr/10/shoplifting-crackdown-to-include-55m-for-facial-recognition-tools-in-england-and-wales ↩↩↩↩
https://www.knapp.com/en/insights/blog/logistics-strategy-role-success-factors-integration/ ↩
https://www.evanta.com/ciso/uk/2020-uk-ciso-virtual-executive-summit ↩↩↩↩↩
https://www.pulseconferences.com/conference/ciso-360-congress/speakers-5/ ↩↩
