This catalog describes the Services available under Your managed services plan with Us. The specific Services included in Your plan are set out in Your Statement of Work. This catalog is referenced by and subject to the terms of Your Master Service Agreement.
Last updated, April 19, 2026
Our Services are organized into two core categories: Managed Identity and Managed Device. Your Statement of Work specifies which Services are active on Your plan. Additional Services, including compliance configurations, are available and scoped individually to Your requirements.
For support hours, response time targets, and help desk scope, see Our Services Standards at hellotucu.com/services-standards.
We may update this catalog from time to time to reflect changes in Our Services, tools, or operations. When We make changes, We will publish the updated version at this URL and notify You. The current version at this URL is the version that applies to Your service.
| Service | What This Means |
|---|---|
| Identity & Access Management | |
| Basic Entra ID Security Configurations | Your user accounts are secured with baseline identity protection settings managed by Us. |
| Identity and Mobile Device Management | User identities and mobile devices accessing work resources are centrally managed and enforced. |
| Basic Conditional Access Policies | Sign-in rules control when, where, and how users can access work applications and data. |
| ITDR – Identity Threat Detection and Response | Automated monitoring detects suspicious sign-in behaviour and responds to identity-based threats. |
| Automated Device Provisioning Enablement | New devices are pre-configured and shipped ready to use. Device and shipping costs are not included. Delivery times vary by manufacturer; Apple and custom-built devices typically ship more slowly than standard PCs, so please allow extra lead time and consider keeping one or two spare devices on hand. |
| Standardized Staff Onboards and Secure Offboards | New staff are set up across all systems. Departing staff access is systematically revoked. 5 business days notice required for service to be included. If notice not provided, work is billable at Rush Rates. |
| Email & Data Protection | |
| Email and Cloud Drive Backup | Automated offsite backup of user email, OneDrive, and SharePoint. We recover deleted or corrupt files from backup. We perform restore testing monthly on a randomly selected file for every managed client, so recovery is proven before it is ever needed. |
| Client Resources | |
| 24/7 DIY IT Help Portal and Password Reset | Self-service portal for submitting tickets, tracking progress, resetting passwords, and accessing help documentation. |
| Microsoft 365 Video Training Library | On-demand video training covering Microsoft 365 applications, provided by a professional third-party training platform. |
| Cyber Security Awareness Training Library | On-demand cyber security awareness training with optional weekly training emails to each staff member. |
| IT Inventory | Real-time view of Your managed devices, software, and user accounts. |
| IT Planning Board | Visual roadmap of technology recommendations. Park or approve items to plan and budget for improvements. |
Requires: Microsoft 365 Business Premium or EMS E3 licenses (for Google Workspace environments).
Scope: MANAGED IDENTITY (per licensed user)
Your plan includes the day-to-day management and support of each licensed user’s cloud identity and access. This means we handle routine identity tasks so your team can focus on their work, not IT tickets.
Included in your plan:
All users also have access to our 24/7 self-serve password reset portal, the Microsoft 365 and cybersecurity awareness training library, and our IT inventory and planning tools.
Not included (billable as Additional Services or Service Request):
The principle is straightforward: maintaining and supporting your current identity setup is included. Changing the architecture or adding new capabilities is a project, scoped and quoted separately.
| Service | What This Means |
|---|---|
| Security | |
| Managed Antivirus | Enterprise antivirus installed, configured, and monitored on every managed device. |
| Managed EDR – Endpoint Detect and Response | Advanced threat detection that identifies and responds to security events beyond what antivirus catches. |
| Managed PAM – Privileged Access Management | Standard user profiles enforced. Admin rights removed. Approved application installs are handled through controlled elevation. |
| Maintenance | |
| 24/7 Device Health Monitoring and Reporting | Continuous monitoring of device health with automated self-healing for common issues. |
| Windows Update Management | Operating system patches applied and verified automatically. |
| Third-Party Patch Management | Automated patching of 200+ common browsers and applications. |
| Support | |
| Remote Troubleshooting Support | Remote diagnosis and resolution of device issues during support hours. See Service Standards for response time targets. |
| Remove or Add Device From or To Storage or New User | Reassign devices between users or move devices to and from storage as Your team changes. |
Applies to: Windows and macOS desktops, laptops, and Azure or Windows 365 virtual desktops managed by Us.
Scope: Per computer (physical or virtual). Covers the security, monitoring, patching, and support of each device on Your plan.
Your plan covers the ongoing security, maintenance, and support of each managed computer listed on your invoice. We manage Windows and macOS devices owned by your organization, configured with standard user profiles and admin access controlled by us.
Included in your plan:
We maintain an approved applications list for your organization. When you’re considering new software, we’ll vet it for security and advise on risk, though we don’t provide software selection consulting.
Not included (billable as Additional Services or Service Requests):
If a staff member installs software without our involvement, that software is outside the scope of your plan. If it causes a security incident or device issue, investigation and remediation are billable.
| Configuration | What This Means |
|---|---|
| Data Classification and Sensitivity Labels | Documents and emails are automatically or manually classified by sensitivity level to control access and sharing. |
| Data Loss Prevention (DLP) Policies | Rules that detect and prevent the unauthorized sharing of sensitive information outside Your organization. |
| Advanced Conditional Access Policies | Expanded sign-in rules beyond baseline, tailored to Your compliance framework. |
| Advanced Intune and Identity Management | Extended device and identity configurations required by Your specific compliance standards. |
| Device Compliance Monitoring | Continuous assessment of device compliance status against Your security baselines. |
| Compliance Documentation | Documentation of security controls and configurations to support Your audit and compliance needs. |
The specific configurations, scope, and fees for Your compliance requirements are set out in Your Statement of Work.
Requires: Managed Identity and Managed Device services must be in place before compliance configurations are applied.
Scope: Custom to each client. Scoped and quoted individually based on Your regulatory, industry, or organizational compliance requirements and may include any combination of the outlined Services.
The compliance add-on provides custom security configurations beyond the standard Managed Identity and Managed Device services. This is for organizations that need to meet specific regulatory, contractual, or industry security requirements.
Included when added to your plan:
Not included (billable as Additional Services or Service Requests):
The following services are available in addition to Your managed services plan. These are scoped individually and added to Your Statement of Work if required.
| Service | Details |
|---|---|
| Server Management (Local or Virtual) | 24/7 monitoring, patching, backup, and support for managed servers. Scoped per server. |
| Network, WiFi, Printer and NAS Management | Firmware updates and connectivity support for network devices installed and configured by Us. |
| VoIP Phone System Management | Management of Your cloud-hosted VoIP phone system including extensions, phone tree updates, and troubleshooting. |
| SIEM – Security Incident and Event Management | Configuration and maintenance of SIEM tools and log storage. Event review included. Incident log analysis billed at Your contracted rate. |
| Workstation Backup | Device-level backup and recovery for individual workstations. Does not include email backup. |
| Disaster Recovery on Virtual Devices | Rebuild of virtual systems in the event of ransomware or catastrophic failure. Physical device recovery billed separately. |
| Password Vault Management | Enterprise password manager with Single Sign On and vault management support. |
Applies to: Windows Server (physical or virtual) installed and configured by Us and listed on Your service invoice.
Scope: Per managed server. Covers 24/7 monitoring, patching, backup, and support for each server on Your plan.
Your plan covers the ongoing monitoring, maintenance, and support of each managed server. We keep servers patched, backed up, and healthy so they stay out of your way.
Included in your plan:
Not included (billable as Service Requests):
Applies to: Firewalls, switches, wireless access points, network-attached storage (NAS), and managed printers installed and configured by Us and listed on Your service invoice.
We do not monitor or manage infrastructure installed by third parties. We can provide support to certain third-party network installations, billable according to Our current Service Price List.
Scope: Per managed network. Covers firmware updates, monitoring, and connectivity troubleshooting during business hours for network equipment We installed and manage.
We manage the network equipment that connects your team to their work. Firewalls and WiFi equipment installed by Us are monitored with early detection systems that report issues to Us for remediation.
Not included (billable as Service Requests):
Applies to: TUCU-approved cloud-hosted VoIP phone systems configured and managed by Us.
Scope: Per managed phone system. Covers day-to-day administration of Your cloud-hosted VoIP system including extensions, phone tree updates, and troubleshooting.
We handle the ongoing administration of Your VoIP phone system so Your team can make and receive calls without worrying about the backend configuration.
Included in your plan:
Not included (billable as Service Requests):
Applies to: Enterprise-grade password manager software, provided by, configured by and managed by Us. Connects it to Your Microsoft 365 sign-in. We manage the day-to-day administration so Your team always has the right access.
In scope:
The software subscription, billed per user, per month through TUCU on Your invoice.
Single sign-on setup, so Your people log in to Bitwarden with their existing Microsoft 365 account.
General management of users and group assignments, including adding and removing users.
Group assignments for vaults, so the right teams get access to the right vaults.
Not included (billable as Service Requests):
How to use the app. Day-to-day use of the password manager is up to each user, though We offer some basic orientation videos to get Your team started.
Individual password management. We do not see, manage, create, or maintain the personal logins each user stores in their own vault.
The following services are not included in Your managed services plan and are billed separately.
| Service | Rate | Billing |
|---|---|---|
| After Hours Services - By Appointment | $225/hour | 3 hour minimum, billed in 15-minute increments thereafter. |
| Remote Moves, Adds, Changes | $130/hour | 30-minute minimum, billed in 15-minute increments thereafter. |
| Remote Rush Support | $250/hour | Available at Your request and Our discretion. 1-hour minimum. |
| On-Site Trip Fee | $90 flat | Within Toronto and Durham Region. Additional travel fees may apply outside these areas. |
| On-Site Moves, Adds, Changes | By Quote | 3-hour minimum per visit, billed in 15-minute increments thereafter. |
| On-Site Rush Support | $250/hour | Available at Your request and Our discretion. 4-hour minimum. |
| Staff Onboard or Offboard | See note | Included with 5 or more business days notice. Remote rush rates may apply with shorter notice. |
| Vendor Security Questionnaires and Compliance Documentation | $585/engagement | For clients on Compliance Management with Us only. |
| Major Projects | By quote | Scoped and quoted individually. |
| BYOD Device Support | $130/hour | Release form required. Security incidents from BYOD devices billed at investigation rates. |
| Security Investigation + Remediation | $250/hour | For any unmanaged, or managed high risk environment or identity. |
Rates may be updated from time to time with notice.
The following are outside the scope of all managed services plans:
Master Service Agreement – The legal framework governing Your relationship with Us, including responsibilities, liability, confidentiality, and termination.
Statement of Work – The specific services, fees, and payment terms for Your account. Attached as Schedule A to Your Master Service Agreement.
Service Standards – Support hours, response time targets, help desk scope, maintenance windows, and incident response. Published at hellotucu.com/services-standards.