Our Services Catalog

This catalog describes the Services available under Your managed services plan with Us. The specific Services included in Your plan are set out in Your Statement of Work. This catalog is referenced by and subject to the terms of Your Master Service Agreement.

Last updated, April 19, 2026

How This Catalog Works

Our Services are organized into two core categories: Managed Identity and Managed Device. Your Statement of Work specifies which Services are active on Your plan. Additional Services, including compliance configurations, are available and scoped individually to Your requirements.

For support hours, response time targets, and help desk scope, see Our Services Standards at hellotucu.com/services-standards.

We may update this catalog from time to time to reflect changes in Our Services, tools, or operations. When We make changes, We will publish the updated version at this URL and notify You. The current version at this URL is the version that applies to Your service.

Managed Identity
Service What This Means
Identity & Access Management
Basic Entra ID Security ConfigurationsYour user accounts are secured with baseline identity protection settings managed by Us.
Identity and Mobile Device ManagementUser identities and mobile devices accessing work resources are centrally managed and enforced.
Basic Conditional Access PoliciesSign-in rules control when, where, and how users can access work applications and data.
ITDR – Identity Threat Detection and ResponseAutomated monitoring detects suspicious sign-in behaviour and responds to identity-based threats.
Automated Device Provisioning EnablementNew devices are pre-configured and shipped ready to use. Device and shipping costs are not included. Delivery times vary by manufacturer; Apple and custom-built devices typically ship more slowly than standard PCs, so please allow extra lead time and consider keeping one or two spare devices on hand.
Standardized Staff Onboards and Secure OffboardsNew staff are set up across all systems. Departing staff access is systematically revoked. 5 business days notice required for service to be included. If notice not provided, work is billable at Rush Rates.
Email & Data Protection
Email and Cloud Drive BackupAutomated offsite backup of user email, OneDrive, and SharePoint. We recover deleted or corrupt files from backup. We perform restore testing monthly on a randomly selected file for every managed client, so recovery is proven before it is ever needed.
Client Resources
24/7 DIY IT Help Portal and Password ResetSelf-service portal for submitting tickets, tracking progress, resetting passwords, and accessing help documentation.
Microsoft 365 Video Training LibraryOn-demand video training covering Microsoft 365 applications, provided by a professional third-party training platform.
Cyber Security Awareness Training LibraryOn-demand cyber security awareness training with optional weekly training emails to each staff member.
IT InventoryReal-time view of Your managed devices, software, and user accounts.
IT Planning BoardVisual roadmap of technology recommendations. Park or approve items to plan and budget for improvements.

Requires: Microsoft 365 Business Premium or EMS E3 licenses (for Google Workspace environments).

Scope: MANAGED IDENTITY (per licensed user)

Your plan includes the day-to-day management and support of each licensed user’s cloud identity and access. This means we handle routine identity tasks so your team can focus on their work, not IT tickets.
Included in your plan:

  • Creating and disabling user accounts as part of standard staff onboarding and offboarding (5 business days notice required per your Agreement).
  • Resetting passwords when self-serve reset is unavailable.
  • Adding users to existing security groups and SharePoint sites.
  • Assigning, removing, or changing Microsoft 365 licenses within your current entitlement.
  • Creating mailboxes and distribution lists.
  • Configuring email on one tablet and one smartphone per user in addition to their primary work computer.
  • Unlocking accounts. Troubleshooting login, sync, and connectivity issues with Exchange Online, OneDrive, SharePoint, and Teams.

All users also have access to our 24/7 self-serve password reset portal, the Microsoft 365 and cybersecurity awareness training library, and our IT inventory and planning tools.

Not included (billable as Additional Services or Service Request):

  • Designing new conditional access policies, security group structures, or identity governance frameworks.
  • Tenant-to-tenant migrations or directory consolidations.
  • Integrating new applications into your identity environment (SSO, SCIM provisioning).
  • Bulk license tier changes that require environment reconfiguration (e.g., migrating users from Business Premium to E5 with policy redesign).
  • Any identity work that requires planning, design, or architectural changes beyond maintaining your existing configuration.

The principle is straightforward: maintaining and supporting your current identity setup is included. Changing the architecture or adding new capabilities is a project, scoped and quoted separately.

Managed Device
Service What This Means
Security
Managed AntivirusEnterprise antivirus installed, configured, and monitored on every managed device.
Managed EDR – Endpoint Detect and ResponseAdvanced threat detection that identifies and responds to security events beyond what antivirus catches.
Managed PAM – Privileged Access ManagementStandard user profiles enforced. Admin rights removed. Approved application installs are handled through controlled elevation.
Maintenance
24/7 Device Health Monitoring and ReportingContinuous monitoring of device health with automated self-healing for common issues.
Windows Update ManagementOperating system patches applied and verified automatically.
Third-Party Patch ManagementAutomated patching of 200+ common browsers and applications.
Support
Remote Troubleshooting SupportRemote diagnosis and resolution of device issues during support hours. See Service Standards for response time targets.
Remove or Add Device From or To Storage or New UserReassign devices between users or move devices to and from storage as Your team changes.

Applies to: Windows and macOS desktops, laptops, and Azure or Windows 365 virtual desktops managed by Us.

Scope: Per computer (physical or virtual). Covers the security, monitoring, patching, and support of each device on Your plan.

Your plan covers the ongoing security, maintenance, and support of each managed computer listed on your invoice. We manage Windows and macOS devices owned by your organization, configured with standard user profiles and admin access controlled by us.
Included in your plan:

  • Antivirus, endpoint detection and response (EDR), and privileged access management on each device.
  • Health monitoring with proactive alerting and self-healing where possible.
  • Windows and macOS patch management.
  • Third-party application patching for approved applications.
  • Remote troubleshooting during business hours, including operating system errors, crashes, and application issues.
  • Slow computer cleanup and optimization (excluding end-of-life devices).
  • Software installs from your approved applications list.
  • Device reassignment between users.
  • Virus removal.

We maintain an approved applications list for your organization. When you’re considering new software, we’ll vet it for security and advise on risk, though we don’t provide software selection consulting.

Not included (billable as Additional Services or Service Requests):

  • BYOD or personal devices owned by staff (supported only with a signed release form, billed per our current rates).
  • Hardware costs, procurement, and physical repairs.
  • New device setup and onboarding (deployment of our security and management stack onto a new machine).
  • Major hardware upgrades.
  • End-of-life devices that can no longer receive security updates.
  • Custom application builds, packaging, or deployment projects.
  • Any device work that goes beyond maintaining your current managed fleet.


If a staff member installs software without our involvement, that software is outside the scope of your plan. If it causes a security incident or device issue, investigation and remediation are billable.

Compliance Add-On
Configuration What This Means
Data Classification and Sensitivity LabelsDocuments and emails are automatically or manually classified by sensitivity level to control access and sharing.
Data Loss Prevention (DLP) PoliciesRules that detect and prevent the unauthorized sharing of sensitive information outside Your organization.
Advanced Conditional Access PoliciesExpanded sign-in rules beyond baseline, tailored to Your compliance framework.
Advanced Intune and Identity ManagementExtended device and identity configurations required by Your specific compliance standards.
Device Compliance MonitoringContinuous assessment of device compliance status against Your security baselines.
Compliance DocumentationDocumentation of security controls and configurations to support Your audit and compliance needs.

The specific configurations, scope, and fees for Your compliance requirements are set out in Your Statement of Work.

What's Included

Requires: Managed Identity and Managed Device services must be in place before compliance configurations are applied.

Scope: Custom to each client. Scoped and quoted individually based on Your regulatory, industry, or organizational compliance requirements and may include any combination of the outlined Services.

The compliance add-on provides custom security configurations beyond the standard Managed Identity and Managed Device services. This is for organizations that need to meet specific regulatory, contractual, or industry security requirements.

Included when added to your plan:

  • Data classification and sensitivity labelling configuration.
  • Data loss prevention (DLP) policy implementation and management.
  • Advanced conditional access policies beyond our standard baseline.
  • Device compliance monitoring and enforcement.
  • Compliance documentation and reporting support.

Not included (billable as Additional Services or Service Requests):

  • Formal audit preparation, evidence gathering, or audit response beyond documentation we already maintain.
  • Detailed forensic investigation or log analysis following a security event (per your Agreement, forensic work beyond initial containment is billable).
  • Gap assessments against new frameworks not already configured in your environment.
  • Building compliance programs from scratch for frameworks not yet implemented.
Additional Services

The following services are available in addition to Your managed services plan. These are scoped individually and added to Your Statement of Work if required.

Service Details
Server Management (Local or Virtual)24/7 monitoring, patching, backup, and support for managed servers. Scoped per server.
Network, WiFi, Printer and NAS ManagementFirmware updates and connectivity support for network devices installed and configured by Us.
VoIP Phone System ManagementManagement of Your cloud-hosted VoIP phone system including extensions, phone tree updates, and troubleshooting.
SIEM – Security Incident and Event ManagementConfiguration and maintenance of SIEM tools and log storage. Event review included. Incident log analysis billed at Your contracted rate.
Workstation BackupDevice-level backup and recovery for individual workstations. Does not include email backup.
Disaster Recovery on Virtual DevicesRebuild of virtual systems in the event of ransomware or catastrophic failure. Physical device recovery billed separately.
Password Vault ManagementEnterprise password manager with Single Sign On and vault management support.

Server Management (Local or Virtual)

Applies to: Windows Server (physical or virtual) installed and configured by Us and listed on Your service invoice.

Scope: Per managed server. Covers 24/7 monitoring, patching, backup, and support for each server on Your plan.

Your plan covers the ongoing monitoring, maintenance, and support of each managed server. We keep servers patched, backed up, and healthy so they stay out of your way.

Included in your plan:

  • 24/7 monitoring and reporting on 200+ system variables with automated self-healing for common issues.
  • Automated daily patches and Windows Updates with weekly patch verifications.
  • Server license management.
  • Unlimited remote support and troubleshooting during business hours.
  • Critical failure response after hours.
  • Backup and storage up to 1 TB of file server data (not including SQL or other database files). Data backups are encrypted at rest and in transit with versioning (3 most recent versions retained). Additional storage fees apply beyond 1 TB.
  • Priority response time according to Your Service Level Agreement.

Not included (billable as Service Requests):

  • SQL Server or database administration, tuning, or backup.
  • Server hardware replacement, upgrades, or procurement.
  • Server migrations, consolidations, or new server builds.
  • Active Directory architecture changes, domain restructuring, or forest/trust configuration.
  • Third-party application server support (application vendor is responsible for their software; We support the underlying OS and infrastructure).
  • Backup storage beyond 1 TB (billed based on usage).

Network, WiFi, Printer & NAS Management

Applies to: Firewalls, switches, wireless access points, network-attached storage (NAS), and managed printers installed and configured by Us and listed on Your service invoice.

We do not monitor or manage infrastructure installed by third parties. We can provide support to certain third-party network installations, billable according to Our current Service Price List.

Scope: Per managed network. Covers firmware updates, monitoring, and connectivity troubleshooting during business hours for network equipment We installed and manage.

We manage the network equipment that connects your team to their work. Firewalls and WiFi equipment installed by Us are monitored with early detection systems that report issues to Us for remediation.

Not included (billable as Service Requests):

  • Network design, redesign, or expansion projects.
  • New equipment procurement, cabling, or physical installation.
  • Printer hardware repairs, replacement parts, or consumables (toner, drums, etc.).
  • NAS data migration, share restructuring, or permission redesign.
  • Internet service provider issues (ISP outages are outside Our control).
  • Home networking equipment for remote staff.
  • Network equipment installed by third parties.

Applies to: TUCU-approved cloud-hosted VoIP phone systems configured and managed by Us.

Scope: Per managed phone system. Covers day-to-day administration of Your cloud-hosted VoIP system including extensions, phone tree updates, and troubleshooting.

We handle the ongoing administration of Your VoIP phone system so Your team can make and receive calls without worrying about the backend configuration.

Included in your plan:

  • Adding, removing, and reassigning extensions.
  • Phone tree greeting updates (You supply the recordings, We update the phone system).
  • Troubleshooting call quality, connectivity, and configuration issues.
  • User setup and removal as part of staff onboarding and offboarding.

Not included (billable as Service Requests):

  • VoIP license costs, call time charges, or telephone line fees.
  • Recording production (You provide recordings, We configure them).
  • Major phone tree redesigns or call flow architecture changes.
  • Integration with CRM or other business applications.
  • Physical desk phone procurement or hardware repairs.
  • Migration to a new VoIP platform.

 

 

Applies to: Enterprise-grade password manager software, provided by, configured by and managed by Us. Connects it to Your Microsoft 365 sign-in. We manage the day-to-day administration so Your team always has the right access.

In scope:

The software subscription, billed per user, per month through TUCU on Your invoice.

Single sign-on setup, so Your people log in to Bitwarden with their existing Microsoft 365 account.

General management of users and group assignments, including adding and removing users.

Group assignments for vaults, so the right teams get access to the right vaults.

Not included (billable as Service Requests):

How to use the app. Day-to-day use of the password manager is up to each user, though We offer some basic orientation videos to get Your team started.

Individual password management. We do not see, manage, create, or maintain the personal logins each user stores in their own vault.

Billable Services

The following services are not included in Your managed services plan and are billed separately.

Service Rate Billing
After Hours Services - By Appointment$225/hour3 hour minimum, billed in 15-minute increments thereafter.
Remote Moves, Adds, Changes$130/hour30-minute minimum, billed in 15-minute increments thereafter.
Remote Rush Support $250/hourAvailable at Your request and Our discretion. 1-hour minimum.
On-Site Trip Fee$90 flatWithin Toronto and Durham Region. Additional travel fees may apply outside these areas.
On-Site Moves, Adds, ChangesBy Quote3-hour minimum per visit, billed in 15-minute increments thereafter.
On-Site Rush Support$250/hourAvailable at Your request and Our discretion. 4-hour minimum.
Staff Onboard or OffboardSee noteIncluded with 5 or more business days notice. Remote rush rates may apply with shorter notice.
Vendor Security Questionnaires and Compliance Documentation$585/engagementFor clients on Compliance Management with Us only.
Major ProjectsBy quoteScoped and quoted individually.
BYOD Device Support$130/hourRelease form required. Security incidents from BYOD devices billed at investigation rates.
Security Investigation + Remediation$250/hourFor any unmanaged, or managed high risk environment or identity.

Rates may be updated from time to time with notice.

What Is Not Covered

The following are outside the scope of all managed services plans:

  • Hardware costs, device purchases, and shipping.
  • Software license costs (Microsoft 365, Google Workspace, and other subscriptions are billed separately).
  • Third-party application, hardware, or software support where the product is required to have support from the manufacturer, publisher, or provider. We will provide basic assistance to facilitate resolution of minor issues at Our discretion.
  • Support for end-of-life devices or operating systems.
  • Support for personally owned (BYOD) devices without a signed release form.
  • Software selection consulting. We vet software for security risk but do not advise on which product to choose for Your business needs.
  • Forensic investigation and remediation work beyond initial containment of a security incident.
  • Anything not described in this catalog or in Your Statement of Work.
Related Documents

Master Service Agreement – The legal framework governing Your relationship with Us, including responsibilities, liability, confidentiality, and termination.

Statement of Work – The specific services, fees, and payment terms for Your account. Attached as Schedule A to Your Master Service Agreement.

Service Standards – Support hours, response time targets, help desk scope, maintenance windows, and incident response. Published at hellotucu.com/services-standards.

Learn how we helped 100 top brands gain success