Skip to main content
KeystoneOps For UK trusts
Request eval

For IT directors

Your infrastructure. Your control plane.

Standard Postgres + Laravel stack. Single binary deploy or container. Full source access. Every endpoint authenticated, every row audited, every webhook signed. No proprietary store, no opaque scheduler, no vendor-locked event bus.

If you're replacing FreshService and Civica, you're replacing two API surfaces neither of which fully integrates with your AD. Both of ours do, both ways, with documented payloads.

Request a private eval Read the docs

Integration surface

Named integrations, both directions, documented payloads.

No "via Zapier", no "contact sales". Each item below is a tested integration in production with a published OpenAPI spec and a worked example in the docs.

Identity

  • Microsoft Entra ID — SCIM provisioning, OIDC SSO, group sync
  • Google Workspace — OAuth, group sync via Admin SDK
  • Active Directory — LDAP bind, scheduled sync, nested-group resolution
  • SAML 2.0 — generic IdP support (Okta, JumpCloud, Auth0 tested)

Comms

  • Slack — bot user, slash commands, signed webhooks both ways
  • Microsoft Teams — bot, adaptive cards, channel notifications
  • Email-to-ticket — IMAP / Microsoft Graph / Gmail API
  • SMS — Twilio + AWS SNS (BYO key)

Data

  • Wonde — staff + pupil sync from your MIS
  • REST API — full CRUD on every entity, OpenAPI 3.1 spec
  • Webhooks — signed event firehose for every state change
  • Direct SQL — read-only Postgres replica, your own queries

Day-2 operations

What you're running, not what we're hiding.

  • Upgrade path

    Standard Composer / migration. Blue-green or in-place. We test against the previous 4 minor versions.

  • Backups

    pg_basebackup + WAL archiving. Sample restore script + tested DR doc in the repo.

  • Observability

    OpenTelemetry traces + Prometheus metrics on every endpoint. Grafana dashboards shipped.

  • Audit log

    Append-only, partitioned by month, per-row signed. Standard Postgres — query it however you want.

  • Backup encryption

    At-rest via your KMS (AWS / Azure / on-prem HSM). We never hold your key.

  • Vulnerability disclosure

    security.txt, 90-day published timeline, CVEs filed under our root.

What you're not signing up for

The stuff we don't ship.

  • No mandatory SaaS hop — every feature works fully on-prem
  • No proprietary database — Postgres only, no fork, no embedded engine
  • No "platform fee" for using your own SSO
  • No callback to vendor for licensing / heartbeat / telemetry without consent
  • No customer-data egress without an explicit, audited integration
  • No "AI features" you didn't turn on — every one is off per workspace until you enable it, BYO key for OpenAI / Azure / hosted Llama, and free-text is PII-redacted before any call. Daily + monthly cost caps you set.

Run it on your kit.

7-day private instance, your AD federated, your branding, your data shape. Spec sheet for self-hosting + a tested ansible role in the eval pack so you can stand up your own day one.

Request a private eval Read the architecture doc