INDEX / DIRECTORY / UPWORK / V-DIG

Upwork V-DIG

DIGITAL INFRASTRUCTURE AUDIT UPDATED 2026-05-19
V-DIG Score 1.14 /10 E Upwork — BDS-1000 114
V-DIG 1.14

Evidence-only forensic audit. Scoring happens downstream — see the main dossier for the composite assessment.

V-DIG Audit: Upwork, Inc.

Audit Phase: V-DIG Domain Audit Target Entity: Upwork, Inc. (NASDAQ: UPWK) Audit Date: May 2026 Jurisdiction of Incorporation: Delaware, USA Primary Business: Online freelance labour marketplace intermediating contracts between independent talent and client organisations globally

Enterprise Technology Stack & Vendor Relationships

Confirmed Infrastructure

Upwork’s S-1 (2018) 1 and subsequent 10-K filings 23 identify AWS as the company’s primary cloud infrastructure provider. This is corroborated by a Tigera/Calico engineering case study 4 confirming Upwork migrated its legacy systems to Kubernetes on AWS EKS and implemented zero-trust network security using Calico. No secondary cloud provider or on-premises data centre arrangement is disclosed in public filings. Google Cloud is confirmed as an additional platform used specifically for Upwork’s generative AI workloads (see §AI, Algorithmic & Autonomous Systems below) 56.

Israeli-Origin Cybersecurity Vendors

The prior research stage surfaced claims that Upwork uses multiple Israeli-origin cybersecurity products internally. Each claim was assessed against primary sources:

Payment Infrastructure Vendors

Acquisitions & Key Client Relationships (2025)

Upwork’s 10-Q (filed November 2025) 19 and multiple press sources 202122 confirm two acquisitions completed in 2025:

No acquisitions of Israeli-origin technology companies by Upwork were identified in SEC filings 192324, press releases, or credible news reporting.

Humanitarian Initiative

In July 2022, Upwork partnered with the Tent Partnership for Refugees on an initiative named “Opportunity Unlimited” to connect Ukrainian displaced professionals with remote work opportunities 25. This initiative is noted for completeness; it has no bearing on Israeli technology vendor relationships.

Surveillance, Biometrics & Retail Technology

Identity Verification & Biometric Data Processing

Identity verification is a material operational function for Upwork, which is required to verify contractor identities to maintain platform integrity, comply with KYC/AML obligations, and detect fraud. Upwork’s Trust & Safety page 26 and privacy documentation 2728 acknowledge the use of third-party identity verification services. A Reddit thread from 2022 29 shows user-level concern and inquiry about which third parties receive biometric data shared during Upwork’s ID verification process, indicating biometric data has been collected as part of platform onboarding for a substantial period.

AU10TIX — Confirmed Historical Vendor (Israeli-origin):

AU10TIX is an Israeli identity intelligence company and a subsidiary of ICTS International (Amsterdam-listed), headquartered in Hod Hasharon, Israel. AU10TIX provides document forensics and multi-modal biometric face-matching for identity verification.

In June 2024, Wired reported 30 that AU10TIX had suffered a serious credential exposure: administrative login credentials for a logging platform had been left publicly accessible for approximately 18 months. Dark Reading 31 confirmed the exposure. A TrustCloud breach summary 32 — as well as separate CyberInsider reporting — identified Upwork, alongside Fiverr and Uber, as named clients whose user identity verification data appeared in the exposed AU10TIX logs. The exposed data included biometric metadata and document verification records 32. This constitutes the strongest verified Israeli-origin technology vendor relationship identified in this audit, established through multiple independent sources 303132.

Public reporting suggests Upwork transitioned away from AU10TIX following the breach disclosure, approximately mid-2024 32. The current post-AU10TIX identity verification vendor is not publicly named in any Upwork press release, support article, legal center document, or SEC filing reviewed. The live version of Upwork’s subprocessor list 33 and current Data Processing Agreement 27 would be the authoritative sources, but no current live version confirming a named replacement vendor was retrievable during research. The 2023 archived DPA 34 provides partial historical subprocessor information only.

Summary status: AU10TIX — confirmed historical relationship, active up to approximately mid-2024; described as discontinued following breach disclosure. Current IDV vendor: not publicly identified.

Other IDV Vendors Assessed

Retail Surveillance Technology

Upwork is a digital marketplace with no physical retail stores or facilities. Israeli-origin retail and physical surveillance analytics vendors — including Trigo (computer vision checkout), BriefCam (video analytics), AnyVision/Oosto (facial recognition), and Trax (retail shelf analytics) — have no applicability to Upwork’s business model. No public evidence identified; vendor category structurally inapplicable.

Predictive Analytics & Workforce Monitoring

No verified use of Israeli-origin predictive analytics, sentiment analysis, social media monitoring, or workforce surveillance tools was identified in any public Upwork filing, press release, or credible investigative report. No public evidence identified.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Primary Cloud Infrastructure

Upwork’s cloud infrastructure is confirmed as AWS-primary, as disclosed in its S-1 1, 2023 10-K 23, and most recent annual report 23. The Tigera/Calico engineering case study 4 provides technical corroboration, confirming AWS EKS (Elastic Kubernetes Service) as the orchestration layer, with Calico implementing zero-trust network policies. Google Cloud is used as an additional platform, specifically for AI/ML workloads tied to the “Uma” AI assistant 56. No other cloud providers are named in public disclosures.

Israeli Data Centres

No evidence that Upwork operates, leases, or co-locates data centre infrastructure within Israel was identified in any SEC filing, press release, engineering disclosure, or independent news report. Upwork’s 10-K filings describe infrastructure as fully cloud-based with no owned or leased Israeli physical facilities. No public evidence identified.

Project Nimbus

Project Nimbus is a confirmed $1.2 billion cloud services contract awarded in 2021 to Google Cloud and AWS to provide cloud infrastructure and services to the Israeli government and military 39. AWS launched the il-central-1 (Tel Aviv) AWS region in 2023 in connection with Project Nimbus obligations 40. Google Cloud employees staged internal protests and public demonstrations in April 2024 over Project Nimbus 41.

Upwork is a confirmed AWS customer 43 and confirmed Google Cloud / Vertex AI customer 56. However, Upwork is not a party to Project Nimbus, has made no public statement about the contract, and has not been reported by any source — news, NGO, parliamentary, or regulatory — as a Project Nimbus participant, subcontractor, downstream beneficiary, or affiliated entity. The inference that Upwork’s AWS or GCP expenditure contributes revenue to Project Nimbus infrastructure is indirect and would apply equally to any enterprise customer of either platform; it does not constitute a verified or material finding specific to Upwork.

The prior research memo’s specific claim that Upwork uses the il-central-1 AWS region for data caching or processing is unverified and speculative. No Upwork engineering disclosure, AWS case study, SEC filing, or independent report confirms Upwork has opted into or uses the Israel AWS region. No public evidence identified.

Data Sovereignty & Sovereign Cloud Services

No evidence was identified that Upwork provides services marketed or contracted to Israeli state institutions for data sovereignty, resilience, or government cloud purposes. No public evidence identified.

Data Residency Disclosures

Upwork’s current DPA 27 and subprocessor list 33 are the primary public disclosures governing data residency obligations. The 2023 archived DPA version 34 provides partial historical subprocessor information. Upwork’s support documentation 28 acknowledges cross-border data transfers and applicable safeguards (Standard Contractual Clauses). No specific disclosure of data being routed through or stored in Israeli jurisdiction was identified. No public evidence identified of Israeli data residency.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No verified contracts, partnerships, service agreements, or memoranda of understanding between Upwork and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), any branch of Israeli military intelligence (Unit 8200, Mossad, Shin Bet, Aman), or affiliated procurement agencies were identified in any public source — including the full SEC EDGAR filing index 24, Upwork press releases 42, major technology and defence trade press, or NGO procurement databases. No public evidence identified.

Dual-Use Technology Provision

No instances were identified where Upwork’s technology, platform, or services have been publicly reported or confirmed as deployed for military, intelligence, or law enforcement surveillance purposes in Israel or in Israeli-occupied territories. No public evidence identified.

Talent Supply to Defence/Intelligence Sector

Upwork’s marketplace connects freelancers with clients across all sectors. No reporting, NGO investigation, or regulatory disclosure has specifically identified Upwork’s marketplace as a significant channel supplying technical talent to Israeli defence or intelligence entities. No public evidence identified.

Offensive Cyber & Weapons Technology

Upwork is a freelance labour marketplace. It does not develop, sell, license, or provide cybersecurity tools, offensive cyber capabilities, signals intelligence products, or weapons systems. Its commercial model is the intermediation of labour contracts between independent contractors and client organisations. No public evidence identified; category structurally inapplicable to Upwork’s business model.

AI, Algorithmic & Autonomous Systems

”Uma” — Generative AI Platform

Upwork launched its “Uma” (Upwork Mindful AI) generative AI platform in 2023 6. Uma is confirmed via Google Cloud’s generative AI case study publication 5 and Upwork’s own press release 6 as built on Google Vertex AI, incorporating Google’s Gemini foundation models. Uma’s documented functions include AI-assisted job post generation, freelancer matching, workflow automation, and a conversational assistant for navigating the platform.

No evidence was identified that Uma, or any Upwork AI product, has been provided, licensed, or sold to Israeli state bodies, military institutions, or intelligence agencies. No evidence was identified of Upwork AI systems being deployed for population surveillance, predictive policing, or military targeting applications in any jurisdiction. No public evidence identified.

Training Data Practices

Upwork’s Terms of Service grant Upwork a broad licence over platform content, which may encompass use for AI model training and improvement purposes 27. This is a standard commercial ToS practice and is not specific to Israeli data, state-linked datasets, or surveillance-derived corpora. No publicly reported instance of Upwork AI models being trained on surveillance-origin, military, or Israeli government datasets was identified. No public evidence identified.

Algorithmic Labour Allocation

Upwork’s core matching algorithms allocate job recommendations and search rankings for freelancers and clients. No independent audit, NGO report, or academic study specifically examining the civil liberties or human rights implications of Upwork’s algorithmic labour allocation in the context of Israeli or Palestinian workers was identified in publicly available sources. The arXiv study on digital payments in data work 16 touches on structural financial access inequities affecting Global South data workers on platforms including Upwork but does not make findings specific to Israeli-Palestinian dynamics.

Autonomous Systems & Lethal Autonomy

Not applicable to Upwork’s commercial domain. No public evidence identified.

Technology Ecosystem & R&D Footprint

Israeli R&D Centres & Offices

No evidence was identified that Upwork operates research and development facilities, engineering offices, innovation labs, startup accelerator programmes, or co-working arrangements within Israel. Upwork’s 10-K filings 2323 list principal offices as San Francisco (headquarters) and Chicago, with a predominantly remote and distributed engineering workforce. No Israeli office is disclosed in any SEC filing. No press release, news report, or LinkedIn organisational data reviewed identified an Upwork Israel office or R&D facility. No public evidence identified.

Acquisitions and Investment Activity

All confirmed Upwork acquisitions identified in public records are non-Israeli in origin:

No acquisitions of Israeli-origin or Israeli-domiciled technology companies by Upwork were identified in SEC filings 192324, Upwork press releases, or credible news reporting. No public evidence identified of Israeli-origin acquisitions or strategic investments.

Patent & Intellectual Property Relationships

No significant patent portfolios, cross-licensing agreements, co-development arrangements, or joint IP ventures between Upwork and Israeli-domiciled entities — including academic institutions (Technion–Israel Institute of Technology, Hebrew University of Jerusalem, Weizmann Institute of Science) or Israeli government research bodies — were identified in USPTO records, Upwork SEC filings, or press releases. No public evidence identified.

Ecosystem Partnerships

Upwork’s disclosed technology partnerships centre on payment infrastructure (Payoneer 111215), AI infrastructure (Google Vertex AI 56), and cloud infrastructure (AWS 43). No formal technology ecosystem partnership with Israeli-origin companies — beyond the confirmed historical AU10TIX IDV relationship described in §Surveillance, Biometrics & Retail Technology — was identified in any primary source. No additional public evidence identified.

Civil Society Scrutiny & Regulatory History

NGO & Academic Reports

Boycott, Divestment & Sanctions Campaigns

The BDS Movement’s published boycott lists and active campaign targets 43 focus primarily on companies with direct contracts with the Israeli military, a direct corporate presence in Israeli-occupied territories, or specific provision of military or surveillance technology. No BDS campaign specifically targeting Upwork was identified in available public records. No organised divestment resolution, shareholder campaign, pension fund exclusion, or sanctions proceeding specifically citing Upwork’s Israeli technology relationships was identified across BDS Movement, AFSC Investigate, Who Profits, or Palestine solidarity campaign archives. No public evidence identified.

Regulatory & Legal Actions

Platform Labour & Payment Access Concerns

The arXiv study 16 and associated academic literature raise concerns about financial exclusion embedded in platform payment architectures. The Payoneer integration specifically 111210 involves an Israeli-founded payment company as the primary freelancer withdrawal mechanism on Upwork in many jurisdictions. User-level documentation of this dependency appears in multiple Upwork support articles 1314 and third-party financial commentary 15. No regulatory or civil society action specifically addressing this payment architecture from a BDS or political risk standpoint was identified.

End Notes

Footnotes

  1. https://www.sec.gov/Archives/edgar/data/1627475/000119312518267594/d575528ds1.htm 2

  2. https://www.sec.gov/Archives/edgar/data/1627475/000162747524000009/upwk-20231231.htm 2 3 4

  3. https://www.sec.gov/Archives/edgar/data/1627475/000162747524000009/upwk-20231231.htm 2 3 4 5 6

  4. https://www.tigera.io/blog/case-study-calico-helps-upwork-migrate-legacy-system-to-kubernetes-on-aws-and-enforce-zero-trust-security/ 2 3 4

  5. https://cloud.google.com/transform/101-real-world-generative-ai-use-cases-from-industry-leaders 2 3 4 5

  6. https://www.upwork.com/press/releases/upwork-launches-uma-generative-ai-powered-platform 2 3 4 5 6

  7. https://www.reuters.com/technology/google-acquire-wiz-cybersecurity-startup-2025-03-18/

  8. https://ir.checkpoint.com/overview/default.aspx

  9. https://www.cyberark.com/investors/

  10. https://investor.payoneer.com/governance/company-information 2

  11. https://www.payoneer.com/get-paid-by-upwork/ 2 3

  12. https://support.upwork.com/hc/en-us/articles/211063988-How-to-use-Payoneer-to-withdraw-your-earnings 2 3

  13. https://support.upwork.com/hc/en-us/articles/211064008-How-quickly-Payoneer-pays-and-what-fees-apply 2

  14. https://support.upwork.com/hc/en-us/articles/211060918-How-to-get-paid-on-Upwork 2

  15. https://investor.payoneer.com/news-releases/news-release-details/payoneer-announces-first-quarter-2021-financial-results 2 3

  16. https://arxiv.org/html/2403.01572v1 2 3 4

  17. https://tipalti.com/about/

  18. https://tipalti.com/industries/gig-economy-freelancer-payments/

  19. https://investors.upwork.com/static-files/83d4f2d4-aee5-4071-a8b6-5f02b6533d82 2 3 4 5 6

  20. https://www.unleash.ai/market-news/upwork-shifts-from-talent-acquisition-to-talent-access-by-buying-bubty-and-ascen/ 2 3

  21. https://www.eu-startups.com/2025/08/dutch-freelance-management-system-bubty-joins-upworks-enterprise-arm-to-shape-the-future-of-contingent-work/ 2 3 4

  22. https://news.outsourceaccelerator.com/upwork-corporate-staffing-bubty-ascen/ 2 3 4 5

  23. https://investors.upwork.com/sec-filings/annual-reports 2 3 4

  24. https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001627475&type=&dateb=&owner=include&count=40&search_text= 2 3

  25. https://www.businesswire.com/news/home/20220707005153/en/Upwork-and-Tent-Announce-Opportunity-Unlimited-to-Connect-Professionals-Displaced-from-Ukraine-to-Remote-Work-Opportunities

  26. https://www.upwork.com/trust-and-safety

  27. https://www.upwork.com/legal/data-processing-agreement/ 2 3 4

  28. https://support.upwork.com/hc/en-us/articles/211067798-How-Upwork-protects-your-personal-data 2

  29. https://www.reddit.com/r/Upwork/comments/wuwc0d/who_are_the_third_party_providers_upwork_shares/

  30. https://www.wired.com/story/au10tix-identity-verification-data-exposed/ 2 3

  31. https://www.darkreading.com/cyber-risk/authenticator-for-x-tiktok-exposes-personal-user-info-for-18-months 2 3

  32. https://trustcloud.tech/blog/au10tix-case-records-exposed-security-breach-major-apps/ 2 3 4 5

  33. https://www.upwork.com/legal/subprocessors/ 2

  34. https://upwork.pactsafe.io/versions/655a53f04a23222348051da5.pdf 2

  35. https://www.jumio.com/company/

  36. https://www.upwork.com/success-stories/jumio

  37. https://go-lifted.com/case-studies/jumio

  38. https://onfido.com/blog/onfido-joins-entrust/

  39. https://www.reuters.com/technology/exclusive-google-amazon-win-1-2-bln-israeli-government-cloud-contract-2021-04-20/

  40. https://aws.amazon.com/blogs/aws/aws-israel-tel-aviv-region-is-now-open/

  41. https://www.theguardian.com/technology/2024/apr/19/google-workers-protest-project-nimbus-israel-contract

  42. https://www.upwork.com/legal

  43. https://bdsmovement.net/Act/economic-pressure/boycott