V-DIG Domain Audit: NordVPN / Nord Security

Audit Phase: V-DIG Target Company: NordVPN / Nord Security Date: 2026-05-01 Jurisdiction of Incorporation: Tefincom SA (Panama); Nord Security UAB (Lithuania)

Enterprise Technology Stack & Vendor Relationships

Israeli-Origin Software Recommendations

NordVPN’s official blog, in a post titled “A list of 20 essential cybersecurity tools for 2026,” explicitly names and editorially recommends three Israeli-origin or Israeli-founded cybersecurity vendors to its business readership ¹:

• Check Point Software Technologies: Founded by Gil Shwed, a veteran of the Israeli Defence Forces’ intelligence signals unit, and headquartered in Tel Aviv, Israel ². Recommended by NordVPN’s blog as a firewall and threat prevention solution for businesses.
• Wiz: Founded by Assaf Rappaport and three co-founders, all alumni of Israeli military intelligence (Unit 8200) ³, Wiz is recommended in the same post as a cloud security platform. Unit 8200 is the IDF’s primary signals intelligence and cyber unit ⁴.
• CyberArk: An Israeli-founded Privileged Access Management vendor with dual headquarters in Petah Tikva, Israel and Newton, Massachusetts ⁵. Also recommended in the same NordVPN blog post for enterprise privileged access control.

Important qualification: The relationship between Nord Security and these three vendors is, based on available public evidence, limited to editorial content marketing — NordVPN recommending these tools to its customers in a blog post ¹. No corporate procurement disclosure, technical architecture document, public contract, or press release confirming that Check Point, Wiz, or CyberArk underpin Nord Security’s own internal infrastructure has been identified. The scope of any direct internal dependency therefore cannot be assessed from publicly available evidence.

Identity & Access Management Integrations

NordLayer — Nord Security’s business-focused network security product — publishes documented integrations with Okta and JumpCloud for Single Sign-On (SSO) and identity federation ⁶⁷. Both are US-incorporated companies; neither has established Israeli-origin provenance. NordLayer also maintains a dedicated vendor access management product for controlling third-party supplier access to enterprise networks ⁸.

NordLayer’s technical specification documentation confirms support for SAML 2.0 and SCIM provisioning through these integrations, enabling centralised identity management for enterprise deployments ⁹.

MSP Channel & Reseller Relationships

• 127 Media, a UK-based IT reseller, publicly lists NordLayer and NordPass as products it distributes to SME customers ¹⁰. No evidence identifies 127 Media as mandating Israeli-origin technology as part of Nord deployments.
• Nord Security products appear in the Insight Public Sector manufacturer and supplier catalog, a US government purchasing vehicle, in a document dated 2025-12-05 ¹¹. This places Nord Security products within a procurement catalog that also independently lists Check Point and other vendors as separate suppliers. Co-listing in the same procurement catalog does not constitute a mandated integrator relationship, joint deployment, or strategic alignment between Nord Security and those co-listed vendors.

Unverified or Discarded Vendor Claims

• SentinelOne (Israeli-American co-founders ¹²): A claim that SentinelOne is a primary MSP partner for NordLayer via the Pax8 distribution platform has not been confirmed against any official NordLayer, Pax8, or SentinelOne press release or partner page. This claim should be treated as unverified pending direct source confirmation.
• CrowdStrike: No public NordLayer–CrowdStrike integration announcement or strategic partnership has been identified. A shared Warburg Pincus investor relationship between CrowdStrike ¹³ and Nord Security ¹⁴ does not constitute evidence of a technology partnership.
• Palo Alto Networks, Verint, NICE, Claroty: No public evidence identified of any licensing, integration, or procurement relationship with Nord Security.

Investor Relationships

Nord Security raised a $100M Series A round in April 2022 at a $1.6B valuation, led by General Catalyst ¹⁵. A subsequent $100M funding round in September 2023 was led by Warburg Pincus, valuing the company at approximately $3B ¹⁴¹⁶. Warburg Pincus’s portfolio includes both CrowdStrike ¹³ and Zimperium ¹⁷, two cybersecurity companies — though no evidence establishes that these co-portfolio relationships have produced technology integrations or commercial agreements with Nord Security.

Surveillance, Biometrics & Retail Technology

Biometric Authentication

NordLayer supports biometric authentication — specifically fingerprint and Face ID — as a multi-factor authentication (MFA) method ¹⁸⁹. This is implemented via device-native operating system biometric APIs: Apple Face ID and Touch ID, and Android’s biometric authentication framework. This is standard MFA implementation using the end-user’s device hardware; it does not involve procurement of a third-party biometric analytics, facial recognition, or liveness detection platform.

Facial Recognition

No public evidence has been identified that Nord Security procures, integrates, or deploys products from facial recognition or biometric analytics vendors, whether Israeli-origin or otherwise. Vendors including Trigo, BriefCam (a Canon subsidiary), AnyVision/Oosto, or Trax are not referenced in any Nord Security public documentation identified in available sources.

A prior research draft suggested that NordLayer’s SSO integrations with Okta and JumpCloud involve “facial recognition.” This framing is not supported by available evidence: Okta and JumpCloud are identity federation platforms, and their documented NordLayer integrations are limited to SAML-based SSO and SCIM user provisioning ⁶⁷. Neither platform is a facial recognition vendor, and no facial recognition capability is described in these integration pages.

Predictive Analytics, Sentiment Monitoring & Workforce Surveillance

No public evidence identified of Nord Security deploying Israeli-origin or any other predictive analytics, sentiment analysis, social media monitoring, or workforce surveillance tools. No third-party surveillance technology reaching Nord Security through managed services or bundled enterprise suites has been identified.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

VPN Exit Node Presence in Israel

NordVPN publicly lists Israel (Tel Aviv) as an available server location on its official server list page ¹⁹. IP intelligence data confirms a NordVPN exit node at IP address 169.150.226.32, attributed to Tel Aviv, Israel ²⁰²¹. The associated ASNs identified in that IP intelligence data include AS141039 (PacketHub) and AS207137 (Tefincom SA), the latter being the registered operating entity for NordVPN, incorporated in Panama ²⁰²¹.

The hosting provider for these Israeli nodes is identified in IP intelligence records as DataCamp (AS212238), a commercially registered global dedicated server and colocation provider ²⁰. DataCamp is not an Israeli state or military entity.

NordVPN also offers a Dedicated IP option in Israel (Tel Aviv), allowing business customers to maintain a static Israeli exit IP address for persistent local-access or compliance use cases ¹⁹. The architecture of these Israeli nodes is structurally identical to NordVPN’s nodes in every other country in which it operates.

Israeli Lawful Intercept Obligations: Unresolved Evidence Gap

Whether Israeli communications law imposes lawful intercept obligations on foreign-operated VPN exit nodes hosted by commercial colocation providers such as DataCamp within Israeli territory is a legal question not resolved by available public sources. This represents a material evidence gap: Israeli law (including the Communications Data Law framework) may impose data retention or interception assistance requirements on infrastructure providers operating within Israeli jurisdiction, but no public regulatory guidance or confirmed case addressing VPN exit node operators specifically in this context has been identified.

Project Nimbus

Project Nimbus is the Israeli government cloud infrastructure contract awarded to AWS and Google Cloud in 2021, valued at approximately $1.2 billion, intended to provide cloud services to Israeli government ministries and the IDF ²². Nord Security / NordVPN is not identified as a contractor, subcontractor, reseller, or participant in Project Nimbus in any public record identified.

NordLayer’s technical documentation confirms the product can be deployed as a network security overlay within AWS and Google Cloud environments ⁹²³. AWS and Google Cloud are global commercial cloud platforms serving hundreds of thousands of organisations worldwide. NordLayer’s support for these platforms does not constitute participation in, alignment with, or facilitation of Project Nimbus. No evidence supports that characterisation.

Sovereign Cloud & Israeli State Data Contracts

No public evidence identified of Nord Security marketing or contracting sovereign cloud, data residency, or resilience services specifically for Israeli state institutions, military bodies, or government data sovereignty programmes.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence has been identified of any contract, partnership, memorandum of understanding, or service agreement between Nord Security and the Israeli Ministry of Defence, the Israel Defence Forces, Shin Bet, Mossad, Unit 8200, or any other Israeli security or intelligence body.

Dual-Use Technology & Occupation-Linked Deployment

No confirmed instance of Nord Security technology being deployed for military, intelligence, or law enforcement surveillance within Israel or the occupied Palestinian territories has been identified in any investigative report, NGO publication, or official source reviewed.

A self-published opinion piece on Medium (Coinmonks channel, author Bikram Biswas) makes theoretical arguments about VPN infrastructure’s potential vulnerability to traffic analysis by intelligence agencies, and references Unit 8200 in the context of VPN operators generally ²⁴. This article does not document a confirmed instance of Nord Security technology being used for such purposes, does not cite primary sources establishing a specific Nord Security–IDF relationship, and is a self-published analysis piece, not an investigative journalism report with primary sourcing. It should not be treated as authoritative evidence of a technology relationship.

Offensive Cyber & Weapons Technology

No public evidence identified of Nord Security involvement in offensive cyber operations, weapons system development, or dual-use technology provision to any military actor.

AI, Algorithmic & Autonomous Systems

AI Features in Consumer & Business Products

NordVPN’s Threat Protection feature employs machine learning for malware URL detection, ad blocking, and tracker blocking, as described on the product feature page [^35]. This is a consumer and business-facing network security feature. No documented application to state surveillance, military targeting, or autonomous decision-making has been identified.

AI Tool Recommendations to Customers

NordVPN’s cybersecurity tools blog post editorially references “AI-powered cybersecurity tools” including SentinelOne Purple AI and Google Gemini SecOps as tools businesses may consider deploying alongside Nord products ¹. These are editorial recommendations to Nord’s readership, not internal Nord deployments and not provisions of AI systems to state bodies.

AI Provision to State Bodies

No public evidence identified of Nord Security providing AI or machine learning systems, training data, inference infrastructure, or algorithmic decision-making tools to Israeli state, military, or intelligence bodies.

Autonomous Systems & Lethality

No public evidence identified of any Nord Security involvement in autonomous weapons, lethal autonomous systems, targeting algorithms, or related dual-use AI development.

Training Data & Model Development

No public evidence identified of Nord Security licensing training data to, or co-developing AI models with, Israeli state-affiliated research institutions, defence contractors, or intelligence bodies.

Technology Ecosystem & R&D Footprint

Corporate Structure & Headquarters

Nord Security’s documented corporate presence is centred in Vilnius, Lithuania (headquarters), with additional offices in Warsaw and other European cities ²⁵. The operating entity for the VPN product is Tefincom SA, registered in Panama. As a private company, Nord Security does not file public financial disclosures, which limits supply-chain and vendor-relationship transparency.

Israeli R&D Presence

No public evidence identified of Nord Security operating R&D facilities, engineering offices, innovation labs, accelerator programmes, or co-development arrangements within Israel. No job postings, press releases, or property records placing Nord Security personnel or facilities in Israel have been identified.

Acquisitions & Strategic Investments

Nord Security’s documented significant acquisitions include:

• Surfshark: Merger completed 2022; Surfshark is a Lithuanian/British Virgin Islands-registered VPN company ²⁶. Not Israeli-origin.
• Clario Tech: Consumer security tools company, acquired 2021.

No acquisition of Israeli-origin technology companies and no strategic investment in Israeli technology startups or Israeli venture funds has been identified in public records.

Patent & Intellectual Property

No public evidence identified of significant patent portfolios, licensing agreements, co-development projects, or joint IP arrangements between Nord Security and Israeli-domiciled entities, universities (Technion, Hebrew University, Weizmann Institute), or research institutions.

WEF Participation

Tom Okman, co-founder of Nord Security, appears on the World Economic Forum Annual Meeting 2023 participant list ²⁷. Attendance at the WEF Annual Meeting is a large-format, multi-sector gathering; no commercial, contractual, or technology-partnership relationship can be inferred from co-attendance alone. No Nord Security–specific strategic engagement emerging from WEF 2023 has been identified in subsequent press or corporate disclosures.

Civil Society Scrutiny & Regulatory History

NGO & Academic Reports

No NGO investigation, academic study, or United Nations report specifically addressing Nord Security’s technology relationships with the Israeli state, operations in occupied territories, or complicity in digital rights violations in that context has been identified. Major digital rights and technology accountability organisations — including Amnesty Tech, Access Now, and Privacy International — have not published Nord Security-specific findings in this domain based on available training-data sources.

The Coinmonks/Medium opinion piece ²⁴ is the closest identified published item raising Unit 8200-related framing in the context of VPN operators generally. It is a self-published analysis, not an NGO or peer-reviewed academic report, and does not identify Nord Security-specific findings.

Boycott, Divestment & Sanctions Campaigns

No public evidence identified of organised BDS campaigns or comparable divestment actions specifically targeting Nord Security for technology provision to Israeli state entities, military bodies, or settlement-linked operations.

Regulatory & Legal Actions

No regulatory inquiries, export control actions, sanctions investigations, or enforcement proceedings involving Nord Security’s technology sales or services to Israeli state entities or actors operating in occupied territories have been identified.

Nord Security has faced separate, unrelated regulatory scrutiny in the VPN industry context. It commissioned a third-party no-logs audit conducted by Deloitte, published in 2023, addressing data retention practices ²⁸. NordVPN’s privacy policy governs data handling for consumer subscribers ²⁹. These matters are unrelated to the domain of this audit.

Hacker News / Community Intelligence

A Hacker News thread discussing VPN ownership structures and the broader Nord Security / Tesonet ecosystem ³⁰ has been identified. The thread reflects community discussion of corporate structures and investor relationships in the VPN industry but does not contain primary-sourced evidence of Israeli state technology relationships. It is included for completeness as a secondary reference to the corporate structure discussion.

End Notes