Digital Audit: Gucci

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Guccio Gucci S.p.A. (trading as Gucci), a wholly owned brand (“Maison”) of Kering S.A. (Euronext Paris: KER) Registered Brand Seat: Florence, Italy; parent Kering S.A. headquartered at 40 Rue de Sèvres, 75007 Paris, France Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor case studies and press releases, trade and technology press, cybersecurity incident reporting, and NGO/campaign material. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Gucci/Kering procuring technology from Israeli-origin vendors, or transferring its own customer data to an Israeli-domiciled processor - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, its founders’ military backgrounds, or a parent group’s separate activities are not attributed to Gucci. US-entity relationships (e.g. Salesforce, Google) are not Israeli-origin and are noted only for completeness. Where evidence concerns Kering Group rather than the Gucci brand specifically, the level is stated.

Enterprise Technology Stack & Vendor Relationships

Strategic Technology Partnerships (Direction: Gucci as customer)

Gucci’s principal disclosed enterprise technology relationship is with Salesforce, a US-headquartered company. A published Salesforce customer story documents Gucci using Salesforce (including Einstein generative-AI features) across its client-service centres to assist client advisors with AI-generated reply suggestions and to connect stores and the Gucci app via Marketing Cloud.¹ Salesforce is a US entity; it maintains R&D operations in Israel through prior acquisitions but this relationship is contracted with the US parent and is not an Israeli-origin vendor relationship, recorded for completeness only.¹ The materiality of the Salesforce dependency was demonstrated in the September 2025 breach (see “Offensive Cyber Capability” and “Civil Society Scrutiny” below), in which Kering customer data was exfiltrated via a Salesforce-instance compromise.²³

Israeli-Origin Technology Vendors in the Gucci Stack (Direction: Gucci as customer)

Riskified - confirmed (e-commerce fraud prevention). The clearest documented Israeli-origin technology relationship is Gucci’s use of Riskified Ltd. as its online fraud-prevention provider. Riskified is an Israeli-founded SaaS fraud and chargeback-prevention company (founded 2012 by Eido Gal and Assaf Feldman; dual New York / Tel Aviv presence; registered offices at 30 Kalisher St., Tel Aviv; listed on the NYSE as RSKD in July 2021).⁴ Its technology applies behavioural analysis, elastic linking, proxy detection, and machine learning to transaction-level data.⁴ Gucci’s customer/privacy documentation discloses that when customers purchase on Gucci’s website, transaction details may be disclosed to Riskified Ltd. (Tel Aviv), reflecting a standard Riskified deployment pattern in which purchasing data is processed against an adequacy-decision data-transfer regime.⁵ The senior depth of the relationship was evidenced when Eva Alvarez, identified as Director of Fraud, Risk & Payments at Gucci, received the “Champion of Community” award at Riskified’s Ascend 2024 “Titans of Ecommerce” summit (June 2024).⁶ Direction: Gucci is the customer; Riskified is the Israeli-domiciled vendor. The associated cross-border personal-data flow to an Israeli processor is recorded under Cloud Infrastructure below.

Syte / AppsFlyer - claimed but not verified. Earlier internal research material flagged the Israeli visual-AI firm Syte and the Israeli mobile-attribution firm AppsFlyer as possible Gucci vendors. No Gucci/Kering corporate disclosure, co-published case study, or independent third-party confirmation of either integration was identified in live searches; the only material located was generic vendor marketing and platform documentation not specific to Gucci.⁷ No public evidence identified confirming a Gucci–Syte or Gucci–AppsFlyer relationship.

Israeli-Origin Cybersecurity Vendors

No public evidence was identified confirming that Gucci or Kering holds a licensing, subscription, or integration relationship with any Israeli-origin cybersecurity vendor - including Check Point, Wiz, CyberArk, SentinelOne, Cato Networks, Claroty, Verint, or NICE Systems. General reporting confirms these are Israeli-founded firms (several with Unit 8200-veteran founders, e.g. Wiz, acquired by Google in 2025; CyberArk, acquired by Palo Alto Networks in 2025),⁸ but none was linked to Gucci’s or Kering’s environment in any independently sourced record reviewed. No public evidence identified.

Procurement Transparency Constraints

Gucci is a brand within a privately governed luxury conglomerate not subject to public-procurement disclosure obligations. Kering’s annual reports and Universal Registration Documents do not contain granular IT or security vendor listings. Vendor relationships below the level of named, publicly announced partnerships are not in the public domain, and the full security/IT vendor stack is undisclosed. This is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

Facial Recognition & In-Store Biometric Surveillance

No public evidence was identified that Gucci operates live facial-recognition, biometric identification, gait-analysis, or in-store behavioural-analytics technology in its retail stores, and no Israeli-origin surveillance vendor (e.g. Oosto/AnyVision, BriefCam, Trigo, Trax) was linked to Gucci in any source reviewed. General reporting documents growing retail-sector use of facial recognition (e.g. by other named US retailers), but no source connects Gucci to such deployments.⁹ No public evidence identified.

Transaction-Behaviour Analytics (Riskified - Direction: Gucci as customer)

The one documented behavioural-data analytics relationship is the Riskified fraud-prevention deployment described above, which involves device fingerprinting and purchase-pattern analysis on Gucci e-commerce transactions.⁴⁵⁶ This is a commercial fraud-prevention tool with Gucci as the customer, not a surveillance product sold by Gucci to any party.

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

No public evidence was identified of Gucci using Israeli-origin predictive-analytics, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools. No public evidence identified.

Third-Party Loss Prevention & Store-Level CCTV Analytics

Third-party loss-prevention or CCTV-analytics sub-contractors used at Gucci store level are not publicly disclosed, and it cannot be confirmed or excluded from public evidence whether any such sub-contractor deploys Israeli-origin technology within its own platform. No public evidence identified linking any to Gucci.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data-Centre Operations in Israel

No public evidence was identified that Gucci or Kering operates, leases, or co-locates data-centre infrastructure within Israel. No public evidence identified.

Third-Party Data Residency in Israel (Riskified pathway - Direction: Gucci as customer)

Gucci’s customer/privacy documentation discloses the transfer of online-purchase transaction details to Riskified Ltd., an Israeli-domiciled processor, with processing governed by the EU adequacy framework for cross-border transfer.⁵⁴ This is a confirmed cross-border personal-data flow from Gucci to an Israeli-domiciled vendor (Gucci as data exporter/customer). It is not Gucci-operated infrastructure inside Israel, and it is the reverse of the directionally serious Digital case (Gucci is not providing data about Israeli or Palestinian populations to the Israeli state; it is sending its own customers’ e-commerce data to a commercial fraud vendor). Recorded explicitly as a customer/data-exporter relationship.

Project Nimbus & Israeli State Cloud Infrastructure

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; neither Gucci nor Kering is a participant or sub-provider. No public evidence was identified of Gucci or Kering involvement in any Israeli state-backed digital-infrastructure programme. No public evidence identified.

Data-Sovereignty or Resilience Services to Israeli State Institutions

No public evidence identified. Gucci is a luxury retail brand and does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, or service agreement between Gucci (or Kering) and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), Mossad, Shin Bet, or any Israeli intelligence agency. Gucci is a luxury fashion and retail business and does not publicly operate in the defence-technology or security-services sector. No public evidence identified.

Provision of Technology / Data to the Israeli State or Military

No public evidence was identified of Gucci providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence was identified of Gucci commercial technology (e-commerce platform, CRM, or analytics infrastructure) being reported or confirmed as deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories. No public evidence identified.

Offensive Cyber Capability

No public evidence identified. Gucci does not develop, license, or sell offensive cyber capability. Gucci was itself the victim of a major data breach in 2025: an unauthorised third party accessed Kering systems (reported initial access around April 2025, detected June 2025, publicly disclosed mid-September 2025) via a compromised Salesforce instance, an intrusion attributed in reporting to the ShinyHunters group using vishing/social-engineering techniques.²³¹⁰ Compromised data spanned customer names, email addresses, phone numbers, postal addresses, dates of birth, and lifetime spend; Kering stated no financial-account or government-identifier data was taken.²³ ShinyHunters claimed data tied to 7.4 million unique email addresses across Gucci, Balenciaga, Alexander McQueen and Brioni.³¹¹ This incident was done to Gucci/Kering and has no nexus to provision of technology to Israel; it is recorded here as factual digital context only.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified. No public evidence was identified of Gucci or Kering providing AI capability, model access, training data, or inference services to any Israeli state, military, or security body.

Training Data & Model Development Involving Israeli Population Data

No public evidence was identified of Gucci contributing to, commissioning, or benefiting from AI model development involving Israeli or Palestinian population datasets. No public evidence identified.

Autonomous Systems & Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within Gucci’s business domain.

Internal Algorithmic Deployment - Israeli-Origin AI Tooling

Gucci’s documented internal AI deployment runs through Salesforce’s Einstein platform (US entity) for client-service support.¹ Of the Israeli-origin vendors identified in this audit, Riskified supplies machine-learning fraud detection on Gucci e-commerce transactions (Gucci as customer).⁴⁵ No public evidence was identified of any other Israeli-origin AI vendor embedded in Gucci’s stack; the undisclosed full vendor list means secondary embedding within managed services cannot be positively excluded, but no such instance was identified.

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence was identified that Gucci or Kering operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. No public evidence identified.

Acquisitions & Investments in Israeli Technology Companies

No public evidence was identified of Gucci or Kering acquiring, or taking a corporate-venture stake in, any Israeli technology company. The Riskified relationship is a commercial procurement (Gucci as customer), not an investment. No public evidence identified.

Sonovia - Kering-Level Sustainable-Textile Technology (Direction: Kering as adopter/customer)

Sonovia Ltd. is an Israeli green-textile-technology company (founded 2013, listed on the Tel Aviv Stock Exchange) that develops ultrasonic (“D(y)enim”) indigo yarn-dyeing technology reducing dyeing water use by up to ~85%.¹²¹³ In 2022–2023, Kering entered an agreement with Sonovia and Italian manufacturer PureDenim to develop and adapt this ultrasonic dyeing technology into Kering’s denim lines as part of Kering’s sustainability strategy.¹²¹³¹⁴ This relationship is at Kering Group level and is a sustainability-R&D adoption (Kering as adopter/customer of Israeli textile technology); contemporaneous reporting names Gucci only as one of Kering’s brands, not as a specific recipient of the technology.¹²¹³ Recorded as a Kering-level inbound (customer-direction) relationship, not a Gucci-specific deployment and not provision of technology to Israel.

Patents & IP Co-Development with Israeli Institutions

No public evidence was identified of patent portfolios, licensing, or co-development arrangements between Gucci/Kering and Israeli-domiciled research institutions (Technion, Hebrew University, Weizmann Institute). No public evidence identified.

Supplier Code of Conduct - Technology Supply-Chain Provisions

No public evidence was identified that Gucci’s or Kering’s responsible-sourcing frameworks contain provisions governing the national origin or geopolitical exposure of technology vendors, software suppliers, or digital-infrastructure providers. No public evidence identified.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence was identified of an NGO investigation, academic study, or UN report addressing Gucci’s or Kering’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. The Who Profits Research Centre database (focused on corporate involvement in the settlement economy) was reviewed in searches and surfaced no Gucci/Kering technology-related listing.¹⁵ No public evidence identified.

BDS Campaigns

Gucci is the subject of informal consumer-level boycott discussion in Palestine-solidarity contexts on social media, generally tied to its commercial retail presence in Israel (a physical store at Kikar Hamedina, Tel Aviv) rather than to any technology relationship.¹⁶¹⁷ Reviewed sources indicate Gucci/Kering is not a named priority target on the BDS Movement’s official campaign list.¹⁷ No public evidence was identified of any BDS or NGO campaign specifically targeting Gucci’s technology relationships, software licensing, or digital-infrastructure provision. No public evidence identified.

Data-Protection Regulatory Actions - 2025 Breach

The 2025 Kering breach (above) compromised Gucci customer personal data and, as Kering is French-headquartered, falls within the remit of the French CNIL and other EU data-protection authorities; reporting indicates Kering notified relevant authorities, and US class-action litigation was reported in connection with the breach.²³¹¹¹⁸ No specific CNIL enforcement decision or sanction arising from the breach was confirmed in sources reviewed. This exposure concerns Gucci’s posture as the victim of an attack and is not connected to any Israeli-origin technology relationship.

Export Controls & Sanctions Authorities

No public evidence was identified of any action by export-control, customs, or financial-sanctions authorities relating to Gucci or Kering technology sales, services, or data transfers to Israeli state entities. No public evidence identified.

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence identified of any regulatory, export-control, or sanctions-body action relating to Gucci technology sales or services to Israeli state entities.

End Notes