For trust IT directors
Self-hosted. Yours.
Or fully managed by us, if you'd rather not.
KeystoneOps deploys to a bare-metal Ubuntu host you own — no vendor cloud, no shared multi-tenant, no data leaving the trust. Native systemd services, Postgres, Redis, Nginx. The same operational shape your other on-prem services already have. Don't have the infrastructure or the appetite to run it yourself? Take the Managed Hosted path — we run it on UK single-tenant servers; the annual subscription builds credit toward the perpetual licence; after 36 months you own the licence outright. Migrate to self-hosted any time.
What you're dealing with
The jobs nobody bought a platform to solve.
Data residency questions on every contract
Every cloud-SaaS procurement triggers a DPIA, a sub-processor review, a transfer-impact assessment. Self-hosted bypasses that whole conversation.
Per-vendor SSO setup, every time
Six different vendors, six different SSO configurations to maintain. Six different group-mapping schemes. Six places to reset when an admin leaves.
No real API surface in most school SaaS
You can't build a unified portal because each vendor exposes a half-baked API or none at all. Your "single pane of glass" is a Sharepoint page.
On-prem AD ignored by every cloud product
You're running AD because pupil accounts need to sit on-prem. The SaaS vendors all want to read it via expensive connectors that need cloud-side service principals.
What KeystoneOps does about it
The products that matter for your role.
Helpdesk + ITSM
Email-to-ticket via your existing mail server. Slack/Teams via your existing tenant. Your queue, not theirs.
See the product →
IT asset management
On-prem network discovery via Go agents. Reads ARP, DHCP, mDNS — no cloud telemetry.
See the product →
Estates compliance
Compliance + room booking on the same auth + asset graph as IT. One source of truth.
See the product →
Governance & risk
KCSIE / Cyber Essentials / ISO 27001 evidence stored in your trust, exportable any time.
See the product →
What this looks like in practice
Outcomes you can quote in your next board pack.
1 IdP
Microsoft Entra ID, Google Workspace, LDAP, or generic SAML/OIDC. JIT provisioning. Group-to-role mapping. Set up once.
Full REST API
Every entity readable + writable via /api/v1. Sanctum personal access tokens, scoped permissions, rate limits.
Two deploy paths
Self-host: tarball release, native systemd services on Ubuntu, same backup story as your file server. Or managed: UK single-tenant servers, we run it, you keep the licence. Switch direction any time.
Drop us an email.
We'll spin up a private instance, seed it with your trust's structure, and send you a link to explore at your own pace. All correspondence is by email — it suits the procurement pace and lets you forward threads to colleagues without rewriting them.