Legal

Procurement guidance

Last updated: 3 May 2026

Most trusts run procurement against a framework or follow ESFA Academy Trust Handbook guidance. Here's what we ship to make that process as short as possible.

What we provide on request

• DPIA scaffolding — a pre-filled Data Protection Impact Assessment template tailored to a self-hosted KeystoneOps deployment
• Security overview — architecture diagram, data-flow map, sub-processor list (short — we have very few), encryption details
• Sample licence agreement — the actual contract text, no NDA required to read it
• Reference architecture — recommended VM specs, network topology, backup/DR pattern
• Sample SLA — uptime + response-time commitments under the maintenance contract
• Insurance certificates — professional indemnity + cyber liability

Frameworks

We're not on G-Cloud, CCS, or DfE frameworks yet. We're working through the process for the next major framework opening; if your trust requires framework-procurement, please contact us early — there are usually accepted alternatives (direct award under threshold, framework-by-association, RFQ with rationale).

Certifications

• Cyber Essentials — application in progress, target Q3 2026
• Cyber Essentials Plus — target Q4 2026
• ISO 27001 — on the 2027 roadmap

These dates are honest, not aspirational. If a current certification is a hard requirement for your procurement, tell us — we can usually meet you on the equivalent control evidence.

Hosting + infrastructure (managed path)

Trusts that pick the Managed Hosted path get their KeystoneOps instance running on a UK-based, single-tenant server provided by us. Our infrastructure partner is Mythic Beasts Ltd — a UK-owned, UK-staffed, UK-tax-paying hosting provider with datacentres in London (Sovereign House) and Cambridge. No US parent, no third-country transfers, no AWS or Azure under the hood.

• Single Academy → Large MAT — provisioned on dedicated virtual servers (single-tenant; no co-mingling with other trusts)
• Enterprise MAT — provisioned on dedicated bare-metal hardware by default, included in the licence at no extra cost
• Daily encrypted off-site backups to a separate UK location
• 24/7 monitoring with on-call response
• OS patching + KeystoneOps upgrades applied for you (with change windows agreed)
• Switch to self-hosted any time without losing the licence — your licence and your data travel with you

Migration costs

Migration from FreshService, Civica, or any other ITSM/asset/SCR system is included in the licence — no separate migration line. We'll spec the migration approach by email when you get in touch.

Cancellation

The perpetual licence has no cancellation clause — you own it. The maintenance contract is annual; you can decline to renew at any term boundary with no penalty. Your existing data stays yours; we provide an export script.

Get the pack

Use the contact form to request the procurement pack with your trust's specific shape pre-filled. Or email procurement@keystoneops.education directly.