K
Keystone AI

keystone://governed-retrieval

On-prem AI knowledge infrastructure for organizations that cannot use cloud AI.

Query across SharePoint, file shares, databases, and email using natural language, with query-time permission enforcement and audit-grade records.

Runs fully on customer infrastructure. No external API calls. Air-gap compatible.

Contact for Technical Discussion View on GitHub
How it works
no cloud calls · no data exfiltration
Query:   "How did we handle that equipment failure in 2019?"
Sources: SharePoint + SMB/NFS + SQL + Email archive
Gate:    Query-time ACL enforcement (inherited from source systems)
Output:  Answer + citations + audit record (who/what/when accessed)

The knowledge fragmentation problem

Your institutional knowledge is scattered:

  • - Safety procedures in SharePoint
  • - Equipment manuals on file shares
  • - Incident reports in email archives
  • - Work orders in databases

When engineers need answers, they spend hours searching disconnected systems, or they guess. That is how avoidable incidents and audit failures happen.

Keystone enables natural language queries across all sources while enforcing access controls and maintaining audit records.

Built for regulated environments

Permission-aware retrieval

Users only see content they are authorized to access. ACLs inherited from source systems, enforced at query time, not filtered after the fact.

Multi-source ingestion

SharePoint (Graph API with OAuth delegation), file shares (SMB/NFS with metadata), databases (Postgres / SQL Server), and email archives.

Audit-grade records

Every query recorded: user identity, sources accessed, permission checks, generated answers, and citations. Chain-of-custody support.

On-prem deployment

Runs entirely on your infrastructure. No external API calls. Air-gap compatible. Docker Compose orchestration.

Designed for compliance-constrained environments

NIST 800-171
CUI handling constraints
CMMC readiness
Supplier and contractor controls
HIPAA
Healthcare auditability needs
SOX
Change and access traceability

Built for regulated enterprises and compliance-constrained teams where data sovereignty is non-negotiable.

Keystone enables compliance controls. It does not claim certification.

Production-grade infrastructure

Technology stack
Inference
Ollama - local LLM deployment
Embeddings
BGE-large-en-v1.5 - 1024-dimension vectors
Vector search
Vector backend with metadata-filtered search (Qdrant in the demo)
Permissions
PostgreSQL - RBAC/ABAC enforcement + sync state
API
FastAPI - async ingestion + query pipeline
Security
SOPS + age encryption, structured audit records
Open source where possible. Proprietary where necessary.

Built by an enterprise infrastructure engineer

12 years at Genesys delivering and supporting enterprise platforms in compliance-constrained environments.

Built production systems under strict uptime, security, and audit expectations.

Keystone applies enterprise operational discipline to on-prem AI knowledge infrastructure.

Technical discussion

If your organization needs to unlock institutional knowledge while maintaining data sovereignty, let's discuss architecture.

Email
arnaldo@getkeystone.ai
GitHub
github.com/getkeystone
LinkedIn
linkedin.com/in/arnaldosepulveda
Licensing

Source code available under Business Source License 1.1. Free for non-production use, converts to Apache 2.0 in 2030.