Full features
Every feature, every comparison. Including where we lose.
The complete picture, module by module, against the alternatives a UK trust actually shortlists. We mark what each tool does well next to what it doesn’t — and we carry the honest marks on our own side too. A procurement decision made on a half-truth is the one that comes back to bite.
Deployment
Managed, or your own keys. Same software either way.
Both paths run a single-tenant instance of the identical product — every module you’ve licensed, no SaaS feature-gating. The only question is who holds the keys and runs the box. There is no second-class option here.
Option A
Self-hosted
You run it on your own VPS or on-prem hardware, anywhere. You own the database, the keys and the patching schedule. Perpetual or subscription licence.
Option B · Alresford-Hosted
Managed
We provision and operate your single-tenant instance on UK infrastructure — backups, patching and restore drills handled. Years 1–3 fees bank credit toward owning the licence outright.
| Self-hosted | Alresford-Hosted (managed) | |
|---|---|---|
| Where it runs | Your infrastructure — a VPS or on-prem box you control, in any region | Alresford's UK infrastructure (London datacenter, 100% renewable energy) |
| Tenancy | Single-tenant — your own instance, your own database | Single-tenant — your own instance, never a shared SaaS pool |
| OS & security patching | You apply OS and platform patches on your schedule | We apply security patches nightly (unattended-upgrades) |
| Backups | Your responsibility — the app ships the tooling, you run it | Nightly, age-encrypted, replicated to a second UK datacentre · 30 daily + 12 monthly retained |
| Recovery objectives | You define and prove them | 24h RTO / 24h RPO internal objectives (not a contractual SLA) · quarterly restore drills |
| Data residency | Wherever you choose to host | UK only — no third-country transfer (bar Microsoft Graph EU/UK if you enable it) |
| Software updates | In-app updater — you choose exactly when to apply a release | You still choose when; we publish signed releases and can coordinate the window |
| Setup | Run the one-line installer (Ubuntu 24.04, PHP 8.4, nginx, PostgreSQL) | Provisioned for you from the licensing portal — live in minutes |
| Licensed features | Identical — every module on your licence | Identical — every module on your licence |
| Source & data | Source included; you hold the database and the keys | Source included; your data stays in your single-tenant instance |
| Cost model | Perpetual licence, or an annual subscription | Managed plan: years 1–3 service fees that bank credit toward a perpetual licence (path-to-ownership) |
| Best fit | Sovereignty-first trusts with an in-house IT team that wants the keys | Trusts that want single-tenant sovereignty without running the box themselves |
Recovery objectives are internal targets, proven by quarterly restore drills — not a contractual SLA. See Licensing and the cost calculator for the commercial detail.
Helpdesk
Helpdesk & IT service management
A genuine ITSM desk — SLAs with business hours, change/problem/project workflows, a major-incident war-room, email-to-ticket, a self-service portal and CSAT. Built trust-shaped, and wired to your real assets, people and compliance.
| Capability | KeystoneOps | FreshService | TopDesk | Halo ITSM |
|---|---|---|---|---|
| Incident & request management | Yes | Yes | Yes | Yes |
| SLAs with business-hours logic | Yes | Yes | Yes | Yes |
| Change · Problem · Project | Yes | Partial / via integration — higher tiers | Yes | Yes |
| Major-incident war-room | Yes | Partial / via integration | Partial / via integration | Partial / via integration |
| Ticket ↔ Asset link, no CMDB upsell | Yes | Partial / via integration — CMDB tier | Partial / via integration | Partial / via integration |
| Self-service portal + offline PWA | Yes | Partial / via integration | Partial / via integration | Not offered |
| AI triage & summarise | Yes — bring your own model | Partial / via integration — Freddy add-on | Partial / via integration | Partial / via integration |
| Pricing | Yes — per trust | Not offered — per agent | Not offered — per agent | Partial / via integration |
Where they beat us
FreshService is a deeper, more mature standalone service desk, with a bigger marketplace and years of polish. If a help desk is all you need, it is an excellent tool. Keystone’s edge is the trust-shaped scope, tickets that link to your real assets, people and compliance, and per-trust pricing instead of per-agent.
Safeguarding
Single Central Record & safeguarding checks
A KCSIE 2026 Annex F register with the engagement-check lifecycle, encrypted certificate references at rest, an access-logged inspector mode, and per-school + trust-wide views. Every change is tamper-signed.
| Capability | KeystoneOps | Every SCR | iAM Compliant | CPOMS |
|---|---|---|---|---|
| KCSIE Annex F register | Yes | Yes | Yes | Not offered — incidents, not SCR |
| Encrypted certificate refs at rest | Yes | Partial / via integration | Partial / via integration | Not offered |
| DBS Update Service workflow | Partial / via integration — consent + manual status + chase | Partial / via integration | Partial / via integration | Not offered |
| Per-school + trust-wide rollup | Yes | Yes | Partial / via integration | Not offered |
| Inspector read-only timed access | Yes | Partial / via integration | Not offered | Not offered |
| Inspector export (PDF/XLSX/CSV) w/ date-checked + checked-by | Yes | Yes | Partial / via integration | Not offered |
| Tamper-signed audit per change | Yes | Partial / via integration | Partial / via integration | Partial / via integration |
Where they beat us
CPOMS owns safeguarding-incident recording — a different job from the SCR, and the market leader at it. We don’t try to replace it; we focus on the Single Central Record and integrate around incidents rather than compete.
- Live DBS Update Service lookups require an HMG organisation subscription. Out of the box Keystone records the manual check outcome and runs the chase; a live API client binds where a trust holds the subscription.
People & HR
People register & HR
A person spine for staff, governors and contractors — documents, qualifications, emergency contacts — with a joiners-movers-leavers workflow, leave self-service, and cross-module GDPR erasure. The MIS stays the source of truth for pupils.
| Capability | KeystoneOps | Every HR | PeopleHR | Arbor / Bromcom |
|---|---|---|---|---|
| Staff record spine (docs, quals, contacts) | Yes | Yes | Yes | Partial / via integration |
| Joiners-Movers-Leavers workflow | Yes | Partial / via integration | Partial / via integration | Not offered |
| Leave / absence self-service | Yes | Yes | Yes | Partial / via integration |
| Right-to-work / expiry into assurance | Yes | Partial / via integration | Not offered | Not offered |
| Cross-module right-to-be-forgotten | Yes | Partial / via integration | Not offered | Partial / via integration |
| MIS sync — staff / schools / rooms | Partial / via integration — one-way via Wonde | Partial / via integration | Not offered | Yes — system of record |
| Pupil & parent records | Not offered — MIS owns these | Partial / via integration | Not offered | Yes |
Where they beat us
Arbor and Bromcom are the MIS — they own the canonical pupil and parent data, and they should. Keystone’s Wonde sync brings staff, schools and rooms across one-way; pupils stay in your MIS. We complement the system of record, we don’t try to be it.
Estates
Estates, facilities & compliance
Statutory compliance certificates with expiry tracking, a contractor portal, a visitor/contractor sign-in kiosk, lettings, lone-working, energy and PPM — all feeding the same signed inspection bundle as the rest of the platform.
| Capability | KeystoneOps | Every Estates | iAM Compliant | Concerto |
|---|---|---|---|---|
| Statutory certs + expiry (PAT, fire, EICR, gas, legionella, asbestos…) | Yes | Yes | Yes | Yes |
| Contractor portal + on-arrival sign-in | Yes | Partial / via integration | Partial / via integration | Partial / via integration |
| Visitor management kiosk | Yes | Partial / via integration | Not offered | Partial / via integration |
| Compliance pack → signed inspection bundle | Yes | Not offered | Partial / via integration | Partial / via integration |
| Lettings · lone-working · energy · PPM | Yes | Partial / via integration | Partial / via integration | Yes |
| Tamper-signed audit | Yes | Partial / via integration | Partial / via integration | Partial / via integration |
Where they beat us
Concerto and Civica have decades of estates/CAFM lineage — deep FM features Keystone won’t match one-for-one on day one. Keystone’s win is that estates compliance lives in the same audit fabric as the SCR, assets and governance, so an inspection bundle assembles in one click.
Health & Safety
Health & Safety
A closed-loop H&S surface: accident book and incident register, RIDDOR auto-suggestion with HSE export, risk assessments, first-aider tracking with expiry alerts, fire drills, and staff self-reporting from the portal.
| Capability | KeystoneOps | Every | iAM Compliant |
|---|---|---|---|
| Accident book + incident register | Yes | Yes | Yes |
| RIDDOR auto-suggest + HSE export | Yes | Partial / via integration | Partial / via integration |
| Risk assessments (DSE / COSHH / trips / fire) | Yes | Yes | Yes |
| First aiders + expiry alerts | Yes | Partial / via integration | Partial / via integration |
| Fire drills + testing schedule | Yes | Partial / via integration | Partial / via integration |
| Staff self-report from portal | Yes | Partial / via integration | Partial / via integration |
Where they beat us
Dedicated H&S suites carry deeper templated risk-assessment libraries and sector benchmarking. Keystone’s strength is that an incident links straight to the person, the asset and the governance action — one record, not three systems.
Assets
IT asset management
A register with custom fields and a full lifecycle, per-asset tamper-signed history, two-way ticket links, software licensing, warranty, purchase orders and a per-host discovery agent. We’re the register, not a network scanner.
| Capability | KeystoneOps | Lansweeper | NetSupport DNA | Snipe-IT |
|---|---|---|---|---|
| Register + custom fields + lifecycle | Yes | Partial / via integration | Partial / via integration | Yes |
| Per-asset tamper-signed history | Yes | Partial / via integration | Partial / via integration | Partial / via integration |
| Two-way Ticket ↔ Asset link | Yes | Not offered | Partial / via integration | Not offered |
| Network discovery | Partial / via integration — per-host inventory agent | Yes — full LAN scan | Yes — full LAN scan | Not offered |
| Auto-match discovered → register | Partial / via integration — by serial number | Yes | Yes | Not offered |
| Licensing · warranty · POs · suppliers | Yes | Partial / via integration | Partial / via integration | Partial / via integration |
| Self-service /me/assets | Yes | Not offered | Not offered | Partial / via integration |
Where they beat us
Lansweeper and NetSupport DNA are purpose-built network scanners and beat Keystone at deep LAN discovery and endpoint telemetry — that’s their entire job. Keystone’s discovery agent is a per-host inventory agent that auto-matches by serial; the value is the register being wired to tickets, people and locations, not the breadth of the scan.
- The discovery agent reports the host it runs on (hardware + installed software) and auto-matches to an asset by serial number. A full LAN sweep is deliberately out of scope today.
Governance
Governance, risk & compliance
A policy register with review cycles, a risk register and actions, a control/evidence register with sensitivity gating, signed board packs, and a trustee self-service portal. Governance evidence is fed automatically from your live operational data.
| Capability | KeystoneOps | GovernorHub (The Key) | Decision Time |
|---|---|---|---|
| Policy register + review cycle | Yes | Yes | Yes |
| Risk register + governance actions | Yes | Partial / via integration | Yes |
| Control / evidence register | Yes | Partial / via integration | Partial / via integration |
| Signed board / meeting pack export | Yes | Yes | Yes |
| Shipped framework content (KCSIE / CE / ISO) | Partial / via integration — DfE starter + build-your-own | Yes — large content library | Partial / via integration |
| Trustee self-service portal | Yes | Yes | Yes |
| Cross-product assurance evidence | Yes | Not offered | Not offered |
Where they beat us
GovernorHub (The Key) has a vast, professionally-maintained content and clerking ecosystem and a governance community Keystone can’t match. If governance is the only need, it’s the safe choice. Keystone’s angle is different: governance evidence is fed automatically from your live SCR, estates and H&S data, rather than re-keyed.
- The compliance engine is real and framework-agnostic. Out of the box it ships a DfE Academies Trust Handbook starter pack; KCSIE / Cyber Essentials / ISO 27001 are mapped build-your-own rather than pre-authored content libraries.
GDPR
GDPR, DSAR & privacy
A DSAR intake portal and DPO inbox, a cross-module subject bundle that actually reaches every product, cross-module right-to-be-forgotten, external-source sweep across M365 and Google, a ROPA generator and a breach register on the 72-hour clock.
| Capability | KeystoneOps | OneTrust | Judicium GDPR-in-Schools |
|---|---|---|---|
| DSAR intake portal + DPO inbox | Yes | Yes | Partial / via integration |
| Cross-module subject bundle (automatic) | Yes | Partial / via integration | Not offered |
| Cross-module right-to-be-forgotten | Yes | Partial / via integration | Not offered |
| External-source sweep (M365 / Google) | Yes | Yes | Not offered |
| ROPA (Art 30) generator | Yes | Yes | Partial / via integration |
| Breach register (Art 33/34, 72h clock) | Yes | Yes | Partial / via integration |
| Enterprise consent management at scale | Not offered — MAT-relevant subset | Yes | Not offered |
Where they beat us
OneTrust is an enterprise privacy-engineering platform — consent management, vendor risk, DPIA tooling — with depth far beyond a MAT’s day-to-day need. Keystone covers the UK-MAT-relevant subset, in-app and self-hostable, with DSARs that genuinely reach across every module rather than stopping at one.
Assurance
Trust assurance & the breadth story
This is the part no single competitor offers: eight first-party products under one tamper-signed audit fabric, an anomaly sentinel that watches across all of them, and a one-click signed inspection bundle. The table below is module coverage, not features — it’s why the cross-domain workflow holds together.
| Capability | KeystoneOps | Every (IRIS) | Civica | FreshService | GovernorHub |
|---|---|---|---|---|---|
| Helpdesk / ITSM | Yes | Not offered | Not offered | Yes | Not offered |
| Estates & compliance | Yes | Yes | Yes | Not offered | Not offered |
| IT assets | Yes | Yes | Yes | Partial / via integration | Not offered |
| Governance & risk | Yes | Not offered | Not offered | Not offered | Yes |
| Single Central Record | Yes | Yes | Not offered | Not offered | Not offered |
| People & HR | Yes | Yes | Yes | Not offered | Not offered |
| Identity / SSO | Yes | Not offered | Not offered | Not offered | Not offered |
| Cross-product assurance + signed bundle | Yes | Not offered | Not offered | Not offered | Not offered |
Where they beat us
Every named competitor is genuinely strong — often stronger than Keystone — inside its own column. The honest pitch isn’t "we beat each of them at their own game"; it’s that nobody else ties helpdesk, estates, assets, governance, SCR, HR and identity into one audit fabric. The breadth is the product. If you only need one column, buy the specialist.
Going deeper
This page is capabilities. For a vendor-specific commercial head-to-head — five-year cost, migration, what it takes to switch — see the Compare deep-dives. For your own number, the cost calculator.
No demo-ware
See it on your trust’s data. Marks and all.
Book a private evaluation and we’ll walk the honest version — what’s shipped, what’s partial, and where another tool would serve you better. That conversation is the point.
Live demo: portal.alresfordmat.uk — every mark on this page, demonstrable.