INDEX / DIRECTORY / COSTA COFFEE / DIGITAL

Costa Coffee DIGITAL

DIGITAL INFRASTRUCTURE AUDIT UPDATED 2026-06-15
Digital Score 0.21 /10 B Costa Coffee - BDS-1000 649
Digital 0.21

Evidence-only forensic audit. Scoring happens downstream - see the main dossier for the composite assessment.

Digital Audit: Costa Coffee

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Costa Limited (“Costa Coffee”), a wholly owned subsidiary of The Coca-Cola Company (acquired from Whitbread plc, completed 3 January 2019)1 Registered Office: Costa House, Houghton Hall Business Park, Houghton Regis, Dunstable, United Kingdom Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor press releases and case studies, retail- and contact-centre technology press, NGO research, and regulatory/biometric-policy reporting. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Costa procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, a founder’s military background, or a parent/franchisee’s separate activities are not attributed to Costa. US-entity relationships (e.g. Microsoft, Google, AWS, GEP) are not Israeli-origin and are noted only for completeness. Cyberattacks recorded below were directed at Costa/its parent and are not instances of provision.

Enterprise Technology Stack & Vendor Relationships

Strategic Technology Partnerships (Direction: Costa as customer)

Costa’s principal disclosed enterprise-data relationship is with Vega IT, a Serbian IT consultancy, which rebuilt Costa’s data architecture/data-warehouse after Costa moved its data infrastructure in-house from a prior external vendor.2 The published Vega IT case study lists a stack including Databricks, Azure DevOps, Python, PySpark and Power BI Service; a separate Vega IT engagement automated Costa’s pricing and menu management using Durable Azure Functions, cutting manual work by over 90%.23 These engagements run on the Microsoft Azure ecosystem; Microsoft is a US-headquartered entity, and the case studies do not specify Azure regions or any Israeli infrastructure.23

Costa uses Google Maps Platform (Geocoding API, Places API, Place Autocomplete) and Google Analytics for its store locator and click-and-collect features; Gordon Lucas, Costa’s Global Head of Digital Engineering, is quoted in the Google case study.4 Google is a US-headquartered entity; this is Google Maps Platform, not Google Cloud infrastructure, and no data-residency or Israel detail is disclosed.4

Costa deployed GEP SOFTWARE, a US-headquartered (Clark, New Jersey) AI-driven procurement and supply-chain platform, to automate direct and indirect procurement across roughly 50 countries; Xavier Martinez, Costa’s Chief Supply Chain Officer, is quoted in the GEP announcement.5 No Israeli nexus is identified.5

Costa’s loyalty programme, “Costa Club,” is personalised using decision-intelligence software from HyperFinity (a Leeds, UK-based firm founded 2019), which reports year-on-year growth in Costa’s loyalty base.67 HyperFinity is a UK-origin vendor; no Israeli nexus is identified.67

Israeli-Origin Technology Vendors in the Costa Stack (Direction: Costa as customer)

No public evidence was independently identified confirming a current licensing, subscription, or integration relationship between Costa Coffee Ltd and any Israeli-origin technology vendor. Prior unverified claims - that Costa uses Check Point (co-appearance with a Costa security-team speaker at the CISO Inspired Summit UK 2025 only), NICE (mere co-exhibition at Contact Centre Expo 2025), SentinelOne (Costa named in a Nebula Global Services market report, not stated to be a Nebula/SentinelOne client), CyberArk (via managed-services provider Exponential-e, whose customer list does not name Costa), or Verint (an inference chain via Bellrock/Sabio with no link to Costa) - were tested against primary sources and none establishes a contractual or deployment relationship.8 No public evidence of a confirmed Israeli-origin cybersecurity or analytics deployment at Costa Coffee identified.

Systems Integrators (Franchisee-level)

Infosys / Americana Restaurants (franchisee level): Infosys BPM documents an Accounts Payable on Cloud and agentic-AI invoice-automation engagement with Americana Restaurants - a Middle East/North Africa/Kazakhstan operator of more than 2,600 restaurants whose multi-brand portfolio includes Costa Coffee alongside KFC, Pizza Hut, Krispy Kreme and others.9 The solution is “powered by Microsoft’s AI stack, combining Azure AI Foundry and other LLMs.”9 This is a franchisee-entity engagement using a US (Microsoft) AI stack, not a Costa Coffee Ltd implementation, and no Israeli-origin technology is named.9

Procurement Transparency Constraints

Costa is a private-sector subsidiary not subject to UK public-procurement disclosure obligations. Vendor relationships below the level of named, publicly announced partnerships are not in the public domain, and the full security/IT vendor stack is undisclosed. This is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

Smart Vending & Demographic Analytics (Costa Express / “Marlow” - confirmed historically)

In 2013 Costa Coffee’s Costa Express unit unveiled the “Marlow” / CEM-200 multi-sensory self-serve vending machine, which used facial-detection technology to estimate customer age and gender for tailored advertising and product recommendation; the system integrated technology from Intel and others and was integrated by Bsquare Corp., with demographic data described as anonymous.1011 Intel is a US-headquartered company (with R&D operations in Israel) and is not an Israeli-origin company. No post-2020 source confirms whether this demographic-analytics capability remains active in current-generation Costa Express hardware; current status is unconfirmed.10

Robotic Kiosks (BaristaBot / Briggo - confirmed historically)

In October 2020 Coca-Cola (via Costa) acquired the Austin, Texas robotic-coffee-kiosk firm Briggo (founded 2008; ~52 automated kiosks), rebranding the platform as Costa BaristaBot.1213 Briggo/BaristaBot is a US company with no identified Israeli origin or Israeli investor base; the BaristaBot brand has since been reported as discontinued.12 No public evidence identified that the kiosk platform routes data through Israeli infrastructure.

Frictionless / Autonomous Checkout (Zippin - not confirmed at Costa)

Zippin (US-headquartered, San Francisco) supplies checkout-free retail technology; its documented UK theme-park deployment (“DUPLO Coffee Co.” at LEGOLAND Windsor) was with Aramark UK, not Costa Coffee.14 No primary source in the current record names Costa Coffee as a Zippin customer. No public evidence of a confirmed Zippin deployment at Costa Coffee identified.

Smart Cabinets (Reckon.ai - not confirmed at Costa)

Reckon.ai (Porto, Portugal; lead investor Iberis Capital) supplies AI smart-cabinet/unattended-retail technology to clients including Carrefour and REWE/Lekkerland.1516 No primary source in the current record names Costa Coffee as a Reckon.ai customer; Reckon.ai is not of Israeli origin. No public evidence of a confirmed Reckon.ai deployment at Costa Coffee identified.

Facial Recognition / Biometric Payments

No public evidence identified of a confirmed facial-recognition or biometric-payment (e.g. PopID) deployment specifically at Costa Coffee outlets.

Retail Execution Analytics / Video Analytics (Trax, BriefCam)

No public evidence identified of a confirmed Trax (Tel Aviv R&D) or BriefCam (Israeli-founded, Canon-owned) deployment at Costa Coffee; prior claims rested on sources that do not name Costa.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Confirmed Cloud / Platform Usage

Costa’s data and application workloads are documented on Microsoft Azure (Databricks, Azure DevOps, Durable Azure Functions, Power BI) via Vega IT,23 and it uses Google Maps Platform for location services.4 Both Microsoft and Google are US-headquartered. No identified source specifies the Azure or Google regions hosting Costa’s data, and no evidence places Costa’s data in Israeli infrastructure.234

Data Centre Operations in Israel

No public evidence identified. No source documents Costa Coffee operating, leasing, or co-locating any data centre or cloud compute infrastructure within Israel.

Project Nimbus

No public evidence identified. Costa Coffee is not named in any Project Nimbus contract documentation or Israeli government procurement record. Project Nimbus is a contract between the Israeli government and Google Cloud and AWS; no direct relationship between Costa and that programme is documented.

Data Sovereignty / Sovereign Cloud Services to the Israeli State

No public evidence identified. Costa is a retail beverage company; no evidence has been found of it providing data-sovereignty, infrastructure-resilience, or cloud services to any state body, including Israeli government entities.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence identified. No contracts, partnerships, or service agreements between Costa Coffee and the Israeli Ministry of Defence, Israel Defense Forces, Shin Bet, Mossad, or any other Israeli or international defence or intelligence agency have been identified in any public source reviewed.

Dual-Use Technology Deployments

No public evidence identified. No reporting documents Costa’s commercial technology - frictionless checkout, robotic kiosks, vending demographic analytics, or customer-data systems - being deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the occupied Palestinian territories.

Offensive Cyber & Weapons Technology

No public evidence identified. Costa Coffee has no documented involvement in offensive cyber capabilities, exploit tooling, vulnerability research, or digital weapons systems of any kind.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified. No AI or machine-learning products or services supplied by Costa Coffee to Israeli government, military, or intelligence entities have been documented.

Training Data & Model Development

No public evidence identified. No public information describes Costa Coffee licensing customer data, behavioural datasets, or operational data to Israeli AI development programmes or Israeli state bodies.

Autonomous & Algorithmic Systems (civilian retail applications)

Costa’s documented AI/autonomous systems are civilian retail applications: HyperFinity decision-intelligence personalisation of the Costa Club loyalty scheme;67 GEP AI-driven procurement automation;5 historic Briggo/BaristaBot robotic kiosks;12 and historic Intel/Bsquare “Marlow” vending demographic analytics.1011 None has any documented connection to defence, lethality, or state-surveillance applications. The franchisee-level Infosys/Americana agentic-AI accounts-payable deployment runs on Microsoft’s Azure AI stack.9

Technology Ecosystem & R&D Footprint

R&D Facilities

Costa opened a UK-based Innovation and Development Centre in Loudwater, England (2024), to test and develop equipment for Costa Coffee Professional’s coffee solutions.17 No public evidence identified of Costa Coffee operating any R&D facility, engineering office, innovation lab, or accelerator within Israel.

Acquisitions & Investments

Patents & IP

No public evidence identified of Costa Coffee patent portfolios, IP licensing arrangements, or co-development agreements with Israeli-domiciled entities or research institutions in the digital/technology domain.

Civil Society Scrutiny & Regulatory History

Cyber & Data-Breach Incidents (directed at Costa / its then-parent)

No Israeli-origin vendor was named in connection with either incident.

NGO Reports & Boycott Campaigns (franchise / parent supply-chain context)

Regulatory & Legal Actions (technology domain)

No public evidence identified of regulatory inquiries, export-control actions, sanctions investigations, or legal challenges specifically involving Costa Coffee’s technology procurement, data practices, or services to Israeli state entities. No completed ICO enforcement action specifically naming Costa Coffee’s technology operations has been identified in available sources.

End Notes

Footnotes

  1. https://www.foodmanufacturing.com/home/news/13248648/the-cocacola-company-completes-acquisition-of-costa-from-whitbread-plc 2

  2. https://www.vegait.co.uk/media-center/business-insights/we-rebuilt-costa-s-data-architecture-to-drive-growth 2 3 4 5

  3. https://www.vegaitglobal.com/media-center/business-insights/helping-costa-coffee-reduce-manual-work-by-90-with-automated-pricing-and-menu-management 2 3 4

  4. https://cloud.google.com/customers/costa-coffee 2 3 4

  5. https://www.gep.com/newsroom/costa-coffee-uks-favorite-coffee-shop-successfully-goes-live-geps-ai-driven-software 2 3

  6. https://hyperfinity.ai/resources/hyperfinity-x-costa 2 3

  7. https://retailtechinnovationhub.com/home/2024/6/10/rtih-innovation-awards-winner-costa-coffee-takes-wraps-off-new-uk-based-innovation-and-development-centre 2 3

  8. https://openintel.uk/costa-coffee/

  9. https://www.infosysbpm.com/insights/client-insights/americana-and-infosys-bpm-pioneering-the-future-of-accounts-payable-with-agentic-ai.html 2 3 4

  10. https://www.geekwire.com/2013/smart-coffee-vending-machine-lot/ 2 3

  11. https://www.idsvending.com/blog/new-coffee-vending-machine-uses-facial-recognition/ 2

  12. https://www.worldcoffeeportal.com/news/costa-coffee-us-to-launch-new-robotic-coffee-kiosk-concept-in-texas/ 2 3 4

  13. https://www.bevnet.com/news/2020/costa-coffee-acquires-rebrands-briggo-machine-as-baristabot/ 2

  14. https://www.getzippin.com/blog/first-european-theme-park-launches-zippin

  15. https://retailtechinnovationhub.com/home/2025/7/29/autonomous-retail-technology-startup-reckonai-bags-51-million-in-funding-round-led-by-iberis-capital

  16. https://retailtechinnovationhub.com/home/2024/12/18/fast-fresh-food-lekkerland-se-and-reckonai-team-on-rewe-to-go-autonomous-store-in-german-train-station

  17. https://retailtechinnovationhub.com/home/2024/6/10/rtih-innovation-awards-winner-costa-coffee-takes-wraps-off-new-uk-based-innovation-and-development-centre

  18. https://www.itpro.com/data-breaches/31437/costa-coffee-and-premier-inn-hit-by-data-breach 2

  19. https://www.theregister.com/2015/04/23/costa_coffee_club_members_security_breach/

  20. https://www.whoprofits.org/companies/company/4081

  21. https://palestinecampaign.org/campaigns/dont-buy-apartheid/

  22. https://www.ethicalconsumer.org/ethical-campaigns-boycotts/palestine-campaigners-target-coca-cola-israeli-fresh-produce