INDEX / DIRECTORY / ZARA / DIGITAL

Zara DIGITAL

DIGITAL INFRASTRUCTURE AUDIT UPDATED 2026-06-14
Digital Score 0.01 /10 D Zara - BDS-1000 351
Digital 0.01

Evidence-only forensic audit. Scoring happens downstream - see the main dossier for the composite assessment.

Digital Audit: Zara / Inditex Group

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Zara, operating under Industria de Diseño Textil, S.A. (Inditex S.A.), Avenida de la Diputación, Edificio Inditex, Arteixo, A Coruña, Spain (BMAD: ITX) Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor case-study and trust-centre materials, vendor and trade press, security-incident reporting, NGO research, and biometric-policy/regulatory reporting. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Inditex/Zara procuring technology from Israeli-origin vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, its founders’ military backgrounds, or a parent group’s separate activities are not attributed to Inditex. US-entity relationships are not Israeli-origin and are noted only for completeness.

Enterprise Technology Stack & Vendor Relationships

Core Enterprise Platforms (Direction: Inditex as customer)

Inditex’s publicly documented core enterprise stack centres on SAP (migrated to SAP S/4HANA for finance from SAP ERP ECC 6.0 in 2022) alongside extensive in-house-developed applications, including its proprietary Inditex Open Platform (IOP).12 None of these core platforms is an Israeli-origin product.

Israeli-Origin Technology Vendors in the Inditex Stack (Direction: Inditex as customer)

Torq (security hyperautomation / SOC orchestration) - Torq’s public trust centre lists Inditex among its trusted customers, and Torq’s own EMEA results announcement names Zara as an enterprise customer joining its ranks during a record EMEA quarter.34 Torq (Torq Networks / Torq.io) was co-founded by Ofer Smadari, Leonid Belkind, and Eldad Livni, who previously co-founded Luminate Security; trade press identifies the company as Israeli-founded.4 The deployed function is no-code/agentic security-operations automation. Direction: Inditex/Zara as customer; this is a procurement relationship, not provision to any Israeli entity. Relationship status: reported active as of 2025.

Anodot / Glassbox (anomaly-detection analytics) - via the April 2026 third-party breach chain - In April 2026 Inditex disclosed a data-security incident affecting a “former technology provider,” stating its own systems were unaffected and that the exposed data related to “commercial relations” and did not include client names, contact details, passwords, or payment data.56 The extortion group ShinyHunters listed Zara on its leak site and claimed the data was compromised via the Anodot.com data-analytics platform (a “BigQuery instances” dataset).67 Anodot Ltd. is an Israeli-founded anomaly-detection company headquartered in Ra’anana, Israel, co-founded in 2014 by David Drai, Ira Cohen, and Shay Lang.8 Anodot was acquired in November 2025 by Glassbox, an Israeli digital-experience-analytics firm established in 2010 with operations in Petah Tikva, Israel.910 Direction: Anodot/Glassbox is (or was) a vendor to Inditex (Inditex as customer); the breach itself was an event done to the breach-chain, not provision by Inditex. The specific contractual scope and current status of any Anodot/Glassbox engagement is not disclosed by Inditex.5

Israeli-Origin Vendors - Asserted but Not Independently Verified

The following Israeli-origin security vendors have been asserted in prior research as part of the Inditex stack but could not be independently corroborated in this review against any corporate filing, vendor case study, press release, or trust-centre listing:

Procurement & Integrator Relationships

No public evidence was identified that any systems-integrator engagement specifically procured, mandated, or deployed Israeli-origin technology within Inditex programmes. The full IT/security vendor stack below the level of named, publicly disclosed relationships is undisclosed; this is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

RFID & Inventory Tracking

Zara’s item-level RFID deployment is among the most extensively documented in global retail. Inditex awarded Tyco Retail Solutions (Sensormatic; now part of Johnson Controls, a US/Ireland-domiciled entity) a chain-wide contract, with Tyco’s Sensormatic dual-technology RFID/Acousto-Magnetic hard tags deployed across roughly 700 Zara stores in 22 countries by 2014 and across the full Zara estate (~2,000 stores) by end-2016.1415 The documented function is inventory management and electronic article surveillance (loss prevention), not biometric identification. The primary vendor is US/Ireland-domiciled, not Israeli-origin.

Tyco’s 2011 acquisition of Visonic Ltd. (a Tel Aviv-headquartered wireless intrusion-detection sensor company, with a design centre in Tel Aviv and manufacturing in Kiryat Gat, Israel) is documented.16 No public source reviewed establishes that Visonic-origin technology is embedded in Zara’s specific loss-prevention deployment; the inference from portfolio ownership alone is not supported by any product-integration document. Status: inferential, not verified.

Facial Recognition & Computer Vision

No public evidence was identified of Zara/Inditex deploying facial-recognition, gait-analysis, or re-identification surveillance analytics of Israeli origin. Israeli-origin retail computer-vision and facial-recognition platforms (Trigo, AnyVision/Oosto, BriefCam, Trax) were checked; no verified Inditex contract, pilot, or deployment with any of them was identified. No public evidence identified.

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

No public evidence was identified of Inditex using Israeli-origin predictive-analytics, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools (beyond the unverified NICE/Verint assertions noted above). No public evidence identified.

Third-Party / Indirect Surveillance Pathways

No public evidence was identified of Israeli-origin surveillance technology reaching Inditex through managed security services, bundled enterprise suites, or white-labelled integrator solutions. No public evidence identified.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Inditex Cloud Architecture

Inditex’s documented architecture is built around the proprietary Inditex Open Platform (IOP), its RFID layer, and the Integrated Stock Management System (SINT), with public technical materials referencing Microsoft Azure and Google Cloud among its cloud platforms.12 Inditex’s principal technology operations are based at its Arteixo (A Coruña) headquarters, with technology hubs elsewhere in Europe.

Data Centre Operations in Israel

No public evidence was identified that Inditex operates, leases, or co-locates data-centre infrastructure within Israel. No public evidence identified.

Project Nimbus & Israeli State Cloud Infrastructure

Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and AWS; Inditex is neither a participant nor a sub-provider. Zara’s Israeli e-commerce operations run through the franchise partner Trimera Brands (see Technology Ecosystem section); whether any Zara workloads are routed through the AWS Israel (Tel Aviv) region or Google Cloud me-west1 region is not disclosed in any public filing or technical disclosure reviewed. No public evidence of Inditex participation in Project Nimbus - directly or via cloud-region selection - was identified. No public evidence identified.

Data-Sovereignty or Resilience Services to Israeli State Institutions

Inditex is a consumer of cloud services, not a provider. No public evidence was identified of Inditex entering data-sharing or infrastructure-support agreements with Israeli state bodies. No public evidence identified.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, or service agreement between Inditex and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), the Shin Bet (ISA), Mossad, or any Israeli military or intelligence body. Inditex is a fashion retail group and does not publicly operate in the defence-technology or security-services sector. No public evidence identified.

Provision of Technology / Data to the Israeli State or Military

No public evidence was identified of Inditex providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence was identified of Inditex’s commercial technology (RFID infrastructure, IOP, demand-forecasting systems, or logistics automation) being reported or deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories. No public evidence identified.

Offensive Cyber Capability

Inditex does not develop, license, or sell offensive cyber capability. No public evidence identified. Separately, Inditex was the subject of the April 2026 third-party data-security incident described above; that incident was done to the breach chain and has no nexus to provision of technology to Israel.56

AI, Algorithmic & Autonomous Systems

Internal AI/ML Deployment

Inditex deploys AI/ML across core commercial functions - demand forecasting and inventory optimisation, e-commerce personalisation/recommendation, supply-chain and logistics routing, and trend analysis - as referenced in its technology and innovation disclosures.12 These are commercially disclosed functions with no identified connection to Israeli state, military, or security use cases.

AI/ML Provision to Israeli State Bodies

No public evidence was identified of Inditex providing AI systems, models, datasets, or algorithmic tools to Israeli state, military, intelligence, or law-enforcement bodies. No public evidence identified.

Training Data & Surveillance-Derived Data

No public evidence was identified of Inditex AI models being trained on, or drawing from, surveillance-derived datasets originating in Israel or the Occupied Palestinian Territories. No public evidence identified.

Israeli-Origin AI Tooling in the Stack

Of the Israeli-origin vendors identified in this audit, Torq supplies agentic/AI-driven security-operations automation as a customer-facing procurement (Inditex as customer), and Anodot is a machine-learning anomaly-detection vendor implicated in the April 2026 breach chain (Inditex as customer).48 No public evidence was identified of any other Israeli-origin AI vendor embedded in Inditex’s stack; the undisclosed full vendor list means secondary embedding within managed services cannot be positively excluded, but no such instance was identified.

Autonomous Systems & Lethality

The development or deployment of autonomous lethal systems is not within Inditex’s business domain. No public evidence identified.

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence was identified that Inditex operates, funds, or co-locates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. Inditex’s principal technology and R&D operations are based at Arteixo (A Coruña, Spain) and other European hubs.1 No public evidence identified.

Acquisitions & Investments in Israeli Technology Companies

No public evidence was identified of Inditex acquiring, or taking a corporate-venture stake in, any Israeli-origin technology company, nor of Inditex participation in Israeli technology accelerators or venture foundries (e.g. Team8). The Israeli-origin vendors identified here (Torq; Anodot/Glassbox) are commercial software suppliers, not Inditex investments. No public evidence identified.

Patents & IP Co-Development with Israeli Institutions

No public evidence was identified of patent portfolios, licensing, or co-development arrangements between Inditex and Israeli-domiciled entities or research institutions (Technion, Hebrew University, Weizmann Institute). No public evidence identified.

Franchise Operations & Israeli Market Presence - Digital Infrastructure Overlap

Inditex operates in Israel through the franchise partner Trimera Brands (president Joey Schwebel), which operated approximately 84 Zara stores in Israel as of early 2025, including a flagship Tel Aviv store opened in February 2025.17 The technology infrastructure operated by Trimera within Israeli stores (POS, payment processing, EAS/RFID tagging, and zara.co.il e-commerce hosting) and whether it shares central IOP/customer-data architecture with Inditex S.A. is not separately disclosed in any public document reviewed. Recorded as an unresolved indirect-exposure question, not a finding. No public evidence identified.

Supplier / Technology Supply-Chain Geopolitical Provisions

No public evidence was identified that Inditex’s responsible-sourcing or supplier-conduct frameworks contain provisions governing the national origin or geopolitical exposure of technology vendors, software suppliers, or digital-infrastructure providers. No public evidence identified.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

Civil-society attention on Inditex in relation to Israel centres on its franchise-based commercial operations in the Israeli market through Trimera Brands, not on technology procurement.1718 No UN Special Rapporteur report, Human Rights Council documentation, or peer-reviewed academic study specifically addressing Inditex’s technology supply chain in relation to Israeli state operations or military surveillance was identified. No public evidence identified for technology-supply-chain-specific scrutiny.

Boycott & Divestment Campaigns

A sustained boycott campaign against Zara emerged in October 2022, triggered by Trimera Brands chairman/president Joey Schwebel (a Canadian-Israeli) hosting a campaign/parlour event at his home in Ra’anana for Itamar Ben-Gvir, then a far-right Knesset member and Otzma Yehudit leader (subsequently appointed Minister of National Security in December 2022).1920 Documented consequences included videos of Palestinians burning Zara clothing, a Palestinian Authority Sharia ruling against purchasing Zara products, and a formal BDS Movement boycott call against Zara.192122

Inditex’s documented response stated that “the statements of the Zara agent do not represent or reflect the company’s policy and opinion,” affirming a commitment to defend human rights and reject racism; Inditex did not terminate the franchise agreement, which continued.23 In December 2023, Inditex withdrew a Zara advertising campaign (“The Jacket”) from its website front page after activists said the imagery - mannequins missing limbs and figures in white shrouds - resembled Gaza casualties; Inditex characterised the removal as routine content refreshing.24 In September 2024, the European Works Council representing Inditex employees publicly urged the company to sever its Israeli franchise ties, citing the humanitarian situation in Gaza.25 No technology-specific boycott or divestment campaign targeting Inditex’s Israeli-origin technology vendor relationships - as distinct from the franchise/commercial-operations campaign - was identified. No public evidence identified for a technology-specific campaign.

Data Protection & Privacy Proceedings

No public evidence was identified of regulatory action by the Spanish Agencia Española de Protección de Datos (AEPD), the European Data Protection Board, or any national data-protection authority specifically connected to Inditex’s Israeli operations, data transfers to Israeli cloud regions, or surveillance-technology deployments. The April 2026 third-party data-security incident triggered data-protection scrutiny concerning Inditex’s posture as the subject of an attack and the security of a third-party provider; it is not connected to any Israeli-origin technology provision.56 No public evidence identified for an Israel-nexus data-protection action.

Export Controls & Sanctions Authorities

No public evidence was identified of any action by export-control or sanctions authorities relating to Inditex technology sales, services, or data transfers to Israeli state entities. Inditex is a consumer of commercial technology, not a technology exporter to Israel. No public evidence identified.

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence was identified of any regulatory, competition, export-control, or sanctions-body action relating to Inditex technology sales or services to Israeli state entities. No public evidence identified.

End Notes

Footnotes

  1. https://static.inditex.com/annual_report_2021/en/documents/innovation-vital-transformation.pdf 2 3 4

  2. https://www.appsruntheworld.com/customers-database/customers/view/inditex-spain 2 3

  3. https://securitytrust.torq.io/

  4. https://torq.io/news/torq-crushes-emea-estimates/ 2 3

  5. https://www.bloomberg.com/news/articles/2026-04-16/inditex-flags-contractor-data-leak-says-client-records-safe 2 3 4

  6. https://cyberinsider.com/inditex-confirms-third-party-breach-as-hackers-threaten-zara-data-leak/ 2 3 4

  7. https://www.upguard.com/news/inditex-data-breach-2026-04-17

  8. https://www.calcalistech.com/ctech/articles/0,7340,L-3727745,00.html 2

  9. https://www.businesswire.com/news/home/20251104734652/en/Glassbox-Strengthens-Anomaly-Detection-With-Acquisition-of-Anodot

  10. https://en.wikipedia.org/wiki/Glassbox

  11. https://www.wiz.io/customers

  12. https://claroty.com/resources/case-studies

  13. https://www.cyberark.com/press/cyberark-and-sentinelone-team-up-to-enable-step-change-in-endpoint-and-identity-security/

  14. https://chainstoreage.com/news/tyco-rolling-out-rfid-based-inventory-intelligence-across-zara-stores-worldwide

  15. https://www.rfidjournal.com/news/tyco-wins-chain-wide-contract-from-inditex/74077/

  16. https://www.prnewswire.com/news-releases/visonic-ltd-to-be-acquired-by-tyco-international-129865728.html

  17. https://www.ynetnews.com/business/article/h18ydatpxx 2

  18. https://bdsmovement.net/news/boycott-zara-dressing-apartheid-and-genocide

  19. https://www.timesofisrael.com/arabs-burn-zara-clothes-call-for-boycott-after-franchisee-hosts-ben-gvir-event/ 2

  20. https://www.jpost.com/israel-news/article-720277

  21. https://english.elpais.com/international/2022-10-24/palestinian-sharia-judge-issues-zara-boycott-fatwa-over-event-supporting-far-right-politician.html

  22. https://bdsmovement.net/zara

  23. https://english.wafa.ps/Pages/Details/131816

  24. https://www.aljazeera.com/amp/news/2023/12/11/zara-pulls-controversial-ad-from-website-after-gaza-boycott-calls

  25. https://www.ynetnews.com/business/article/h18ydatpxx