Software Add-Ons Ltd - OpenCRM


OpenCRM is a feature rich, secure Cloud based system that has been built and supported by the same people who started the business back in 2005. We pride ourselves on providing friendly and knowledgeable service from the foot of the Yorkshire dales.


  • Contact and Company Management centralised within this feature rich system.
  • Dynamic Calendar functionality and Activity management tools make scheduling easy.
  • Sales Process Management and Oversight from Lead creation to Invoicing
  • Fully integrated Customer Service Management module with SLA response alerts
  • Project management complete with time tracking tools.
  • Automation tools for workflow, action plans, and auto-email rules.
  • Email Campaign Management tools for tracking clicks, opens, and unsubscribes.
  • Unlimited custom fields, lists, and layouts, including profile specific views
  • Personalised and customisable Email, PDF, HTML, and Mail Merge Templates
  • Profile based permissions for managing module, record, and field access


  • Dedicated account manager to look after you and your team.
  • UK-based Customer Service team rated “Great” by 90% of respondents
  • Knowledgeable Project Managers available to assist with configuration and implementation.
  • All generic and bespoke development carried out in house.
  • UK-based infrastructure, including data centres, file storage, and backup facilities.
  • Security focused product and company with Cyber Essentials Plus rating.
  • Integrations with major, external applications ensure data is always available
  • GDPR tools for managing data retention, RTBF, and opt-in marketing.
  • Simple and sophisticated interface, customisable to fit your organisation.
  • Mobile access options, including browser, dedicated app, and offline framework.


£33 per user per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

9 3 0 9 8 2 7 7 0 6 0 0 6 8 1


Software Add-Ons Ltd - OpenCRM

Graham Anderson

01748 473000

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
Planned maintenance is done with minimum of 7 days notice. Emergency maintenance can be carried out at any time for service affecting issues.
There are no hardware constraints so long as the hardware is capable of running an up to date web browser.
System requirements
Latest version or latest version -1 web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our standard Service Level Agreement (SLA) response time is 8 business hours. Tickets, on average, are closed after 36 total hours.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Our online web chat uses dark text on a white background, with clear navigation.
Web chat accessibility testing
None at the present time.
Onsite support
Yes, at extra cost
Support levels
System and user support is included with the per user subscription of OpenCRM.

1. Account Manager: All companies have a dedicated account manager with whom they can discuss future and current system requirements. They are there to consult and advise on how you can use our system to meet your requirements.

2. Customer Service Team: Should you or your users have any questions on how to use the system, our support team is on hand to answer questions and troubleshoot technical issues.

If you decide to purchase any professional service or engage us to carry out custom development, this work will be overseen by a project manager who ensures the work is completed on time and to your specification.
Support available to third parties

Onboarding and offboarding

Getting started
We have an extensive library of Knowledgebase articles, as well as user guides, to help new users get started using OpenCRM. We do recommend new sign-ups purchase some online training, specifically "super user" training that will not only teach one of the new users to navigate and customise the system, but also how they can train other members of their team. It is possible to request onsite training, but we typically find that our online, screen-sharing sessions are more than enough to get people up and running.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users are able to manually export data from their system (either module by module or using our Reports module). Should they decide to use Reports, users have the choice of .xls, .csv, or .pdf file formats. Exporting direct from a module will output as a .csv file. Alternatively they can request a copy of their MySQL database at no charge, which will be made available via a web link for no more than 30 days after the termination date of their system.
End-of-contract process
Should you decide to end your contract with us, we require a 60 day notification period. You will be responsible for the subscription cost for these full 60 days. Data is returned at no additional charge. You can also request a full deletion of any back-ups or snapshots free-of-charge. Any personal data we have in our internal systems relating to your company or users is removed after two years, provided it has not been used in any financial transactions. Any personal data linked to financial transactions is retained for at least 8 years.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
It is possible to access OpenCRM from any browser, including mobile devices. All features are available from your mobile, although if you or one of your users is planning on exclusively accessing the system from a mobile, we recommend creating custom views and layouts to accommodate the smaller screen. This is not a requirement, but just best practice in our experience.
Service interface
Description of service interface
OpenCRM has a clean, metro style interface. We are constantly improving on this interface based on our customers' and users' feedback.
Accessibility standards
None or don’t know
Description of accessibility
All fields and buttons have descriptive labels. All text has a contrast ratio of at least 4.5:1. We strive to use correct sematic markup and to ensure consistent, logical reading/navigation order.
Most page functionality is accessible and navigable via the keyboard, with clear focus. All pages have informative titles, both on the page and on the links to that page.
Technical terminology is defined within user manuals and online FAQs.
There are no substantial changes to the page within a direct user action and form validation errors clearly spell out their cause.
Accessibility testing
No testing has been conducted at this stage.
What users can and can't do using the API
Any API service must be approved by us before being enabled. This is to ensure the security of the system and integrity of our customer's data. Additional support charges may be required to ensure the initial setup is completed smoothly.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
System administrators can enable/disable modules (globally and at profile level), change the order these modules appear, add unlimited custom fields to any module (26 types of custom field), change the layout of fields, create custom views (lists) in all modules, and build an unlimited number of email, PDF, HTML, and Mail Merge templates.


Independence of resources
All services are monitored 24/7 with staff on hand out of hours to investigate any issues that arise.
This monitoring checks that all systems are running within normal operating parameters and speed, and allows us to investigate and pinpoint any issues which may be as a result of individual users misuse.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users are able to export data directly from the home screen of any module. This is exported as a .csv file. Additionally, users are able to export Reports they have created as .csv, .xls, or .pdf. Permission to export data can be restricted at the profile level.
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS (from a Report)
  • PDF (from a Report)
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our servers are available 365 days a year, 24 hours a day, with a network availability of 99.97% up time and server response time of no more than 3 seconds excluding documents. More time may be needed in the case of large or multiple attachments. If a customer system is down for 0.03% of any calendar month, we will refund a portion of the monthly subscription at the rate of 5% for every 15 minutes of downtime up to a maximum equal to any monthly charges, except where we have given the customer more than 7 days notice. Where possible, we notify our customers 7 days before any maintenance work on systems or infrastructure, which is typically carried out between the hours of GMT [BST adjusted] 11pm – 6am. It is our goal that service-affecting maintenance works should generally last no more than 15 minutes in a single session.
Approach to resilience
Summative details of our data centre setup can be made available on request. We do not release the full details for security reasons.
Outage reporting
Where possible, we notify our customers 7 days before any maintenance work on systems or infrastructure, which is typically carried out between the hours of GMT [BST adjusted] 11pm – 6am. It is our goal that service-affecting maintenance works should generally last no more than 15 minutes in a single session.
Any outage or planned maintenance is reported on our status page. Users are encouraged to sign up for email alerts from this page.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access to the front end of customer systems can be restricted using the permissions model within our own OpenCRM system. Should a member of our team need to access the backend of a customer system, their request and the reason for it is reviewed by a senior member of the team. This request and approval, as well as any front end access, is logged.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus (TBC)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
The security of our system, procedures, and interaction with customers is based on the ISO27001 standard, as well as the guidance set out by the General Data Protection Regulation (GDPR).
Information security policies and processes
Our information security policies and procedures were originally based on the Data Protection Act (1998), but was amended to ensure our adherence to both Cyber Essentials Plus protocols and the General Data Protection Regulation (2018). These including policies for the processing of personal data, ensuring the rights of data subjects are observed, and other internal security measures. Compliance with these policies and procedures is overseen internally by our board of directors. All employees are required to sign a confirmation that they have read and understood our policies and procedures, and agree to follow them.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Any development work to our system is required to have the full specification of the project approved by a senior member of both the operations and development team. When the development is completed, it is tested for both frontend functionality and backend code compliance, which includes being assessed for their potential security impact. This process is overseen and tracked by a project manager. All development is fully documented and updated as future changes are made.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We monitor online technology and security news and mailing lists for vulnerabilities reported on any software used to provide or maintain our hosted solution.
Patches, including OS updates are applied as soon as they are available or in the next scheduled maintenance window dependent on the severity of the vulnerability/advisory details of the patch.
Regular penetration testing against our web application alerts us to any vulnerabilities in our software and work to patch these is scheduled according to severity. Patches to the web application can be rolled out immediately where needed.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises are identified by regular health checks of servers and services. 24/7 system monitoring would alert us to unusually high levels of server activity, network or database traffic/activity, or an unusual level of errors in traffic/activity.

If any compromise were found, we would respond by first taking remedial action to prevent the compromise from performing the action it is taking.

An investigation would check if the same compromise was present anywhere else within the network and if any data or services had been breached. Any affected customers would be informed.

Response to any known compromise would be immediate.
Incident management type
Supplier-defined controls
Incident management approach
The processes for an IT, Physical, or Data Protection breach are fully documented within our internal wiki, as well as a general process for reporting and managing other potential incidents. These processes include who needs to be notified, the timescales for alerting customers, and who will manage the reporting and reviewing of an incident. Users are regularly reminded about the processes for reporting potential incidents and how they can remain alert for them.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£33 per user per month
Discount for educational organisations
Free trial available
Description of free trial
Users interested in trialing the interface can sign up to use a shared demo system. There is no access to the admin side and the system is reset overnight.

Alternatively, we do offer a free, 14 day trial of a full system with no integrations.

Service documents

Return to top ↑