Legal

Procurement guidance

Last updated: 3 May 2026

Most trusts run procurement against a framework or follow ESFA Academy Trust Handbook guidance. Here's what we ship to make that process as short as possible.

What we provide on request

• DPIA scaffolding — a pre-filled Data Protection Impact Assessment template tailored to a self-hosted KeystoneOps deployment
• Security overview — architecture diagram, data-flow map, sub-processor list (short — we have very few), encryption details
• Sample licence agreement — the actual contract text, no NDA required to read it
• Reference architecture — recommended VM specs, network topology, backup/DR pattern
• Sample SLA — uptime + response-time commitments under the maintenance contract
• Data Processing Agreement — UK GDPR Article 28 template, executed on contract for managed deployments
• Insurance certificates — professional indemnity + cyber liability

Frameworks

We're not on G-Cloud, CCS, or DfE frameworks yet. We're working through the process for the next major framework opening; if your trust requires framework-procurement, please contact us early — there are usually accepted alternatives (direct award under threshold, framework-by-association, RFQ with rationale).

Certifications

• Cyber Essentials — application in progress, target Q3 2026
• Cyber Essentials Plus — target Q4 2026
• ISO 27001 — on the 2027 roadmap

These dates are honest, not aspirational. If a current certification is a hard requirement for your procurement, tell us — we can usually meet you on the equivalent control evidence.

Until each certificate is in hand, we hold ourselves to the underlying controls anyway. Our public properties (this site, the docs site, the licensing portal) are independently scored A+ by Mozilla Observatory and SSL Labs as of May 2026 — full posture and the controls that produced those scores are on our security page.

DfE digital standards + DSPT

KeystoneOps is built to align with the DfE digital and technology standards for schools and colleges — single sign-on via your existing identity provider (Entra / Google / SAML / OIDC / LDAP), role-based access, audit logging, UK data residency, and a documented backup/DR pattern. The reference architecture we provide maps each relevant standard to how a KeystoneOps deployment satisfies it.

On the Data Security and Protection Toolkit (DSPT): the toolkit is completed by your trust as the data controller, not by us. KeystoneOps is designed to make the relevant assertions straightforward to evidence — access control, encryption in transit and at rest, audit trails, retention controls and breach-notification support. We provide a DSPT mapping note in the procurement pack showing which toolkit questions the platform helps you answer and how. We're honest that this is an alignment statement, not a certification.

Data protection + DPA

Your trust is the data controller for product data. Self-hosted, your operational data never reaches us and we are not a processor of it. On the Managed Hosted path we act as your processor on documented instructions, under a UK GDPR Article 28 Data Processing Agreement — covering sub-processors, security measures, breach notification, audit rights, and return/deletion of data on exit. The DPA template is available to review before signing and is executed as part of the contract. Full detail is in the privacy policy.

Support, SLA + uptime

The full SLA forms part of the maintenance contract; these are the published baseline commitments it is built on. Response targets are identical on both deployment paths — the difference is what we operate versus what you operate, not how quickly we answer.

• Support channel (both paths) — email, UK office hours (Mon–Fri 09:00–17:00, excluding England & Wales bank holidays). Dedicated security@ and procurement@ routes.
• Response targets (both paths) — P1 service-down: 4 business hours; P2 major-impair: 1 business day; P3 general: 3 business days.

What differs by path — because it follows from who runs the infrastructure:

• Managed Hosted — we operate it. 99.9% monthly uptime target (excluding pre-agreed maintenance windows), daily encrypted off-site UK backups, 24/7 monitoring with on-call, and end-to-end resolution: we apply OS patches and KeystoneOps releases for you within agreed change windows.
• Self-hosted — you operate the infrastructure. The same response targets for diagnosis, fixes and advice; we ship the fix or release within the SLA, you deploy it. Resolution time and availability then depend on your environment, change windows and DR — the trade-off for full control. No uptime SLA applies because we don't run the servers.

These figures are firm, not aspirational. The signed SLA document (with measurement method, exclusions and any service credits) is in the procurement pack.

Security patches + versioning

Security patches are provided to every licensed trust regardless of maintenance status. A maintenance lapse freezes new features — it never freezes security. That is a deliberate commitment, and this is the mechanism that makes it verifiable:

• Versioning — semantic MAJOR.MINOR.PATCH. MINOR and MAJOR releases carry features and improvements and are delivered under the maintenance contract or the managed path. The PATCH stream is fixes only.
• Separate security channel — security releases are published on a dedicated channel that every licensee can pull from (self-hosted) or has applied automatically (managed), independent of the maintenance contract. Feature and security releases travel on different tracks by design.
• Identified, not buried — every security release carries a Keystone Security Advisory identifier (e.g. KSA-2026-014) in the build tag (2.4.1+KSA-2026-014) and the release notes, so it is unambiguous which release closes which issue and that you are entitled to it.
• Support window — we backport security fixes to the current and immediately-prior major version, guaranteed for at least 3 years from each major's release, free of charge, maintenance or not.
• Perpetual backstop — licensed trusts hold the source. Beyond the formal window, or any time you choose, you can apply security fixes yourself indefinitely. You can never be left unable to patch software you own.

What qualifies — classification is by impact, not by component: a fix ships as security if it materially reduces the confidentiality, integrity or availability risk of an unpatched instance — for example access-control or cross-academy tenant-isolation flaws, injection, authentication or session weaknesses, sensitive-data exposure, vulnerable bundled dependencies, audit-log tampering, or unauthenticated denial of service. Defence-in-depth hardening with no known exploit, dependency bumps with no advisory, and regulatory or compliance changes (e.g. a KCSIE update) are not security patches and ride the normal release stream. The classification is stated in each KSA — and because you hold the source, you can verify it.

All severities are delivered free on the security channel; only the timeline tiers — critical as fast as we safely can (days), high within 14 days of a confirmed advisory, medium/low rolled into the next security release without a fixed clock. A security fix that requires a breaking change or data migration still ships as a security release — we do not withhold a fix because it is awkward — with the operational impact called out in the KSA. How we patch our own infrastructure is detailed on the security page.

Hosting + infrastructure (managed path)

Trusts that pick the Managed Hosted path get their KeystoneOps instance running on a UK-based, single-tenant server provided by us. Our infrastructure partner is Mythic Beasts Ltd — a UK-owned, UK-staffed, UK-tax-paying hosting provider with datacentres in London (Sovereign House) and Cambridge. No US parent, no third-country transfers, no AWS or Azure under the hood.

• Single Academy → Large MAT — provisioned on dedicated virtual servers (single-tenant; no co-mingling with other trusts)
• Enterprise MAT — provisioned on dedicated bare-metal hardware by default, included in the licence at no extra cost
• Daily encrypted off-site backups to a separate UK location
• 24/7 monitoring with on-call response
• OS patching + KeystoneOps upgrades applied for you (with change windows agreed)
• Switch to self-hosted any time without losing the licence — your licence and your data travel with you

Migration costs

Migration from FreshService, Civica, or any other ITSM/asset/SCR system is included in the licence — no separate migration line. We'll spec the migration approach by email when you get in touch.

Cancellation

The perpetual licence has no cancellation clause — you own it. The maintenance contract is annual; you can decline to renew at any term boundary with no penalty — and declining maintenance does not stop security patches (see Security patches + versioning above). Your existing data stays yours; we provide an export script.

Get the pack

Use the contact form to request the procurement pack with your trust's specific shape pre-filled. Or email procurement@keystoneops.education directly.