Calero Software Ltd

Calero Technology Expense Management (TEM)

Utilising Azure Platform as a Service, we provide cost visibility and management control to landline, mobile and WAN telecom service assets. Via the management and resolution of billing errors, wastage and excess capacity, we optimise and rationalise services to deliver direct and indirect savings of 10-30% of annual expenditure.


  • Microsoft Azure Platform as a Service - PaaS
  • Linearly scalable to address any size of organisation
  • Analyse data from any source at a transactional level
  • Big data search, analytics and management reporting
  • Secure user access based on customer criteria
  • Mobile Policy management, implementation and control
  • Centralised view of entire telecoms and IT expenditure
  • Integration with existing IT, HR and Finance systems
  • Single Sign-On
  • Full customisation


  • Total cost control of the telecoms estate
  • 10-30% typical cost reduction on telecoms estate
  • Operational efficiencies in the management and reporting
  • Provide accurate ongoing service asset cost control and cost allocation
  • Comprehensive governance and compliance across the telecom estate including mobile
  • Supplier contract management and governance


£40500 per licence per year

  • Education pricing available

Service documents

G-Cloud 10


Calero Software Ltd

Rachel Knibbs

07880 187749

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Our application is restricted to using Microsoft Azure services, specifically PaaS. Azure Stack (onsite deployment) is on our roadmap once Microsoft release later this year. Outages are limited as hardware patching and maintenance is performed by Microsoft meaning no downtime to the PaaS environment. The only planned outage is a 2 hour weekly window (out of hours) to perform feature upgrades and bug fixes.
System requirements
  • Client will agree to use Calero Veropath Azure Subscription
  • Dynamic Data Masking requirements on certain fields
  • Geo or local redundant blob storage account setup
  • Single Sign on method – ADFS or AzureAD at present
  • API requirements to 3rd party applications (Calero Veropath REST API)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The Helpdesk will response as soon as reasonably possible and in any event within 1 Business Hour. The Helpdesk operates Monday to Friday between 09.00 and 17.00 - due to the nature of the solution 24/7 support is not typically required, however, 24/7 can be provided on a price on application basis.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels End-User Support is provided Monday to Friday 09.00 to 17.00 with a target of 95% of all support tickets being responded to within 1 business hour. The nature of our solution is typically not considered mission critical.

In addition, we are able to provide on-site support in the form of an trainer and/or a technical account manager these will be charged based on our published day rate.

We also provide remote support in respect of supplier billing data loading as this is typically the most time consuming element for Customer resource and it is commonly more cost effective for our specialist resource to support this activity.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There is typically a setup phase of c. 6 weeks, where we will create the required instance, setup up all data loading scripts for all required datasets, import a maximum of 12 months historical telecoms and IT billing data and customer reference data, contracts and tariffs, create all agreed custom fields and reports as part of the onboarding process.

Upon completion of the setup phase the Customer will be able to access the application and be given visibility of the potential historical rebate and savings opportunities. Using the Customer's own data we will provide onsite training and support to ensure that the Customer can maximise the use of the tool.

Upon completion of the setup phase the Customer will have access to a total of 10 additional onsite training days, alongside pre-recorded training videos and user documentation.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction At the end of the contract a total of three extracts will be made available to the customer in an csv format:

1. Inventory Extract
2. Contract and Tariff Extract
3. Order History Extract
End-of-contract process A total of three extracts will be prepared on the final day of the contract and issued to the Customer in a CSV format. At the end of the contract the Customer instance will be disabled and all associated data will be destroyed in line with our ISO 27001 procedures which will see all paper document shredded, all data deleted and any associated instance destroyed.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 A
Accessibility testing Accessibility Developer Tools by google

automated audit tool is called accessSniff
What users can and can't do using the API Users require credentials to get a token to make a restful call to the API to get data
As above by posting required changes and using the key API calls for saving data
API can only be called from specific IP domains.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users can create custom fields that can be applied to all aspect of our solution or to specific modules. In addition, users can create custom searches and reports to drive key information. Users can also customise the underlying data structure to support their specific needs.

Customisation is achieved through standard functionality contained within our application. Who can customise is defined within user permission, permission enable a user to have rights to create, edit and/or view.


Independence of resources Calero Veropath application is built using the Azure PaaS solution where were each client has their own dedicated SQL Azure database. Databases can either share DTU's in a pool or be configured to use a dedicated pool. Pools can be scaled on demand to allow increased DTU's for high periods of activity. Web Services operate in an application pool and are scaled dynamically on CPU and Memory thresholds. Using a combination of these services provides a high degree of assurance that demand is met on both fronts.


Service usage metrics Yes
Metrics types NW/IH
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Reports or Custom Search
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • PDF
Data import formats
  • CSV
  • Other
Other data import formats Custom formats via Python

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Calero Veropath Portal Access has a targeted 99% SLA. Calero Veropath Portal Uptime has a targeted 99% SLA.

As solution is not considered business critical and the customer would suffer no losses as result of being unable to access the application we would not offer any form of refund where targeted levels are not achieved, however, if we are non-compliant the process below would be followed:

1. One (1) month non-compliance with the SLA - Account Director will provide detailed explanation and recovery plan to the Customer;

2. Two (2) consecutive months non-compliance across all KPIs detailed within the SLA – the Supplier’s COO will attend a meeting with the Customer to provide detailed explanation and recovery plan; and

3. Three (3) or more consecutive months (or 3 months out of 6) non-compliance across all KPIs detailed within the SLA - The Customer may elect to terminate the Services.
Approach to resilience Our solution is built using Microsoft Azure Platform as a Service, this provides full automated disaster recovery and machine self-healing.
Outage reporting Email notification and public announcements on Calero Veropath portal. At the point of logging into the Calero Veropath portal a user will be notified of any announcements that have been made within the tool the user and the tool will track if the announcement(s) has been read. Announcements are typically used to provide advanced warning of planned outages and reminders prior to the outage. In the event of an unplanned and planned outage the user will be provided with a notification on the login page providing a indication of time to resolve.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication User can either authenticate with Calero Veropath username (email address) and Password (strength client defined) setup on the application
or Active Directory Foundation Services allowing local client AD security to be maintained.
Access restrictions in management interfaces and support channels Access is restricted through client defined security groups created in the application which incorporates both access to Modules (with read/write/design/admin), and data sources (Structure, Supplier, Account) and Owner services. User can be a member of a Business group which has indirect security group membership or direct access to a security group. Business group hierarchy only allows access to user owned services from the child business group, they do not inherit the security group access of the child business group.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 QMS International
ISO/IEC 27001 accreditation date 25/01/13
What the ISO/IEC 27001 doesn’t cover No aspect of our operation is not covered by ISO/IEC 27001 certification. The accreditation covers Calero Software Limited as an organisation, and covers both the Operational and Developmental aspects of the business.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Information Security policies and management of these policies are controlled within the ISO27001 process. In line with this structure polices are reviewed every quarter through an ISMS meeting with key individuals from the business and the ISMS Manager. Agreements are made whether policies require updating or new policies need developed in line with change in business process, or external factors. Policies and process are audited once a year by QMS an external body who review and highlight recommendations where necessary. New staff must complete a security awareness course, plus there is an annual security awareness course which all staff must complete. Access to policies are available for staff within the company sharepoint site.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change Management is detailed within our ISO 27001 policy.
Microsoft online Team Foundation Services is used to register bugs and feature from concept through to delivery. "Change sets" are published to Development environment and code reviewed by senior developers to confirm impact to performance and security. Once approved a release is built on the Alpha environment and on successful testing this is released to Beta. Once in Beta this can be hot swapped to Production allowing immediate rollback if issues are identified with no downtime for the user.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The Calero Veropath application and related services are run using Azure PaaS meaning that all patches including critical patches are applied immediately by Microsoft without causing any downtime of the service.
Azure provide regular updates of updates and threat prevention.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Configuration of Azure Alerts across App services (API, Web) and SQL Services covering various performance indicators (query analysis, long response times, high CPU, high memory), server event errors (4xxx, 5xxx), and regular use of Azure Advisory services to determine any services which require attention based on recommendations. Threat detection in conjunction with auditing is enabled on all databases.
Alerts are raised through wall boards and emailed to central group for investigation. Depending on the threat level will dictate course of action and response.
Incident management type Supplier-defined controls
Incident management approach Calero Software Limited has a clearly defined Incident Management approach, taking it’s guidelines from the ISO 27001 standard. A report of security incidents is raised at each ISMS Management review. Individual incidents are logged with TFS for tracking and to help improve services in the future. An Incident Reporting and Management Policy also supplements this Policy and provides clear guidelines for staff on the classification of Incidents and the time frames in place for the effective reporting of incidents. The Policy also clarifies the parties responsible for incident management and the control of incidents from detection to resolution.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £40500 per licence per year
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑