Strawberry Security

FAQ

Honest answers,
before you book.

The stuff people actually want to know (or wish they’d asked) before handing their IT to someone.

01 Which one is right for me?

How do I know if I need Starter, Foundation, or Operations?

Start with team size, then look at where the pain is.

  • Under 4 people: you probably don’t need us yet. Use 1Password personal, turn on multi-factor authentication everywhere, and write things down. Come back when you’re hiring.
  • 4–10 people, no IT spend yet: Starter. The basics, done in a week, $1,200. You’ll have peace of mind for the next year.
  • 8–25 people, growing: Foundation. Once you’re hiring meaningfully, you need real device management and proper account setup.
  • You have a baseline already: Operations. Whether we built it or someone else did, this is the “keep it healthy” engagement. $250 per employee per month.
  • Around 50 people and growing fast: you’re probably approaching the point where an in-house IT hire makes sense. We’ll tell you that on the call and try to help you think it through.

If you’re between two options, default to the smaller one. We’d rather under-sell you and graduate you up than over-sell and have you feel oversold.

What if I’m smaller than your usual size or have an unusual situation?

Most small teams fit into Starter cleanly. It’s deliberately priced and scoped for the 4–10 person size. If you’re even smaller, or you have a more specific need, we still want to talk. A few examples that aren’t covered by Starter:

  • A 3-person studio that only wants the password manager piece done
  • A 12-person team that has 80% of Foundation already and only needs the gaps closed
  • A founder who wants a second opinion on what their existing IT person is doing
  • A specific project, like “help us answer a vendor security questionnaire by next month”

Book a call and we’ll figure it out. The first conversation is always free, and we’re honest about whether we’re the right fit.

I’m not sure what’s broken, just that something feels off. Is that enough to call you?

Yes. That’s actually the most common starting point.

“Something feels off” usually translates to one of: someone left and we never revoked access; we’re using shared logins for too much; we don’t know where our company data lives; a client asked us a security question and we panicked. The 30-minute discovery call is exactly for triaging this kind of vague unease.

How do I know if my email is set up properly?

Three quick tests anyone can run:

  • Send an email from your work address to mail-tester.com. A score under 8 means something’s wrong.
  • Check mxtoolbox.com/dmarc.aspx with your domain. If it says “no DMARC record found,” anyone can send email pretending to be you.
  • Search your own inbox for legitimate-looking emails from your domain that you didn’t send. If they exist, someone is impersonating you and you don’t know it.

Almost every small business we look at has at least one of these problems. Email security is the most common “we thought we were fine” gap.

We already have a part-time IT person. Should we replace them or add you?

Add us, almost always. Part-time IT people are usually great at the hands-on work: setting up a laptop, fixing a printer, handling a Slack request. They’re usually less great at the strategic, written, productized work: building runbooks, hardening identity, answering vendor questionnaires.

The cleanest model: we do the strategic and documented work, they do the hands-on stuff, you get both. We’ll never recommend firing your existing person.

02 About the service

How is this different from a traditional IT support company?

Three real differences:

  • Productized, not hourly. We sell defined engagements with defined deliverables at a fixed price. You always know what you’re paying for and what you’re getting.
  • One price, no surprises. Software, security, and support are all in one number. No itemized vendor invoices, no per-incident charges, no “that wasn’t included” after the fact.
  • We hand you the keys. Everything we build lives in your accounts and is documented in plain English. If you leave, you take it all with you. No lock-in.

A traditional IT support company is built around long contracts and surprise invoices. We’re built around doing a focused set of things really well, for one predictable price.

Do you offer 24/7 support?

Two answers, because there are two kinds of “24/7.” Our help line runs 8am to 8pm Eastern on weekdays, excluding Ontario stat holidays. That covers the questions, requests, and fixes that make up almost everything you’ll ever need.

But your security is watched around the clock. The threat protection on your devices is monitored overnight and on weekends by a dedicated security team that investigates suspicious activity and contains it where possible, often before it becomes a bigger problem, even at 3am. So the genuine emergency, a breach in progress, has eyes on it 24/7. What we don’t run is a round-the-clock help desk for routine issues, and most businesses your size don’t need one.

What’s your response time?

For Operations clients: within 4 business hours for non-urgent requests, within 1 business hour for “something is broken right now.” Most things get same-day resolution.

For Foundation clients during the engagement: same-day during the active project window.

For prospects who haven’t engaged yet: a few business hours for email, immediate via the booking link.

What happens after a Starter or Foundation engagement ends?

You keep everything. The runbook is yours. The accounts are in your name. The vault structure is yours. We hand over admin access and you’re done.

If you want ongoing care after that, we offer Operations. If not, no hard feelings. The work we did doesn’t require us to keep maintaining it.

Can you work with our existing tools and providers?

Yes, with one exception: we won’t set up tools we consider actively bad for your stack. If you’re using a free password manager with a known breach history, we’ll recommend you switch. If you’re on something that’s genuinely going to hurt you, we’ll say so.

For mainstream tools (Google Workspace, Microsoft 365, 1Password, Slack, Zoom, Dropbox, Notion), we fit ourselves around what you have.

Can you handle our laptops and hardware?

Yes. For Foundation and Operations clients, we handle the hardware headache end to end. Tell us a new hire is starting and we’ll coordinate the laptop, configure it, and have it arrive at their desk ready to work, signed in, secured, and loaded with the right access. No half-configured box, no “set it up yourself” afternoon.

The hardware itself is billed separately, at cost, with a flat setup fee for the configuration work, so you always see exactly what the gear cost and what our handling cost. We coordinate the purchase, the imaging, and the delivery; we’ll give you a realistic timeline up front (rush orders and remote or cross-border shipping can take longer).

How quickly can you start?

Usually 1–2 weeks from signing the engagement letter. We work with a small number of clients at a time so we don’t overbook.

If we’re currently full, we’ll tell you that on the discovery call and give you a realistic start date.

Do you work with companies outside Toronto?

Yes. We’re based in Toronto, but our work is remote and most engagements run over video calls and shared documents. We work with businesses across Canada and the US.

The only real constraints are time zones (we’re Eastern, and Pacific is workable but Asia/Europe is not), and US clients have a small amount of cross-border tax paperwork (W-8BEN, etc.) which we handle on our side.

03 Working together

What does the engagement look like, week by week?

For Foundation: a 30-minute kickoff call, a written intake form you fill out, 2–3 weeks of work split into clear phases (accounts, devices, email, documentation), a midpoint check-in, and a 60-minute handoff at the end. We send weekly written progress updates.

For Operations: monthly check-in, quarterly review, async requests throughout. Less formal, more ongoing.

Do you sign NDAs?

Yes. Our standard engagement letter includes mutual confidentiality terms that cover most cases. If your legal team needs a separate NDA, we’ll sign yours.

Will I own everything you build?

Yes. Runbooks, configurations, account structures, documentation: all yours, in your accounts, under your control. We don’t hold anything hostage.

If you ever decide to leave, the offboarding is genuinely simple: we revoke our admin access, hand over any remaining credentials, and you’re done. You keep working without us.

How do you handle our passwords and access?

Each client gets a dedicated, secured space in our password manager that only the people working on your engagement can access. We use multi-factor authentication for everything. We never store credentials in email, shared documents, or personal password managers.

For especially sensitive accounts (your domain registrar, primary payment processor, primary bank) we don’t hold standing access. We request it when needed and give it back when we’re done.

What happens if something happens to you?

Everything you need to run your IT without us is in your account, documented in your runbook, and the credentials are in your vault. If we disappear tomorrow, you can hand the runbook to any reasonable IT person and they can take over in a day.

That’s a deliberate design choice. We don’t want you locked into us.

04 Pricing and billing

What’s included in the price, and what costs extra?

For Operations, the monthly per-person price includes everything to keep your IT healthy and secure: support, threat protection, the software tools that run it, onboarding and offboarding, the works. You don’t get a separate invoice from a security vendor or a software company. One number covers it.

The things genuinely outside the monthly price are big one-time projects (a from-scratch setup is Foundation, as are migrations and office moves), hardware (coordinated and billed separately when you need it), and specialized work like SOC 2 audit prep. Day to day, if it’s about your team’s access, devices, security, or the systems we run, it’s included; one-off projects and things outside that we’ll scope separately. When something falls outside, we tell you up front and scope it clearly. What never happens is a surprise charge after the fact. No per-incident fees, no “that wasn’t covered.”

Are prices in USD or CAD?

Prices on this site are in CAD. Canadian clients pay in CAD plus HST (13% in Ontario, varies by province).

For US clients, we invoice in USD using the current exchange rate at engagement time. No HST applies to US clients. We’ll lay this out clearly in your proposal.

What if our team grows or shrinks mid-engagement?

For Foundation: the price is fixed for the engagement. If you’re mid-project and hire 5 more people, we’ll absorb the additional setup work.

For Operations: pricing is per employee per month, so your invoice tracks your actual headcount. If you hire two people in March, your April invoice reflects that. If someone leaves, the next invoice drops. No tier renegotiations, no contract amendments.

What’s the contract length for Operations?

Three-month initial term, then month-to-month with 30 days notice. We don’t lock people in. If we’re not earning the retainer, you should be able to leave.

How do you handle billing?

Invoices via email. For Canadian clients: e-transfer (preferred) or wire. For US clients: wire or ACH. Net 15 for one-time engagements, Net 30 for monthly retainer.

We’re happy to accept card payments via Stripe if you prefer. You’ll see a 2.9% surcharge that covers the Stripe fee, not a margin for us.

05 Trust and security

Do you carry professional liability insurance?

Yes. Errors & Omissions (Professional Liability) insurance with $1M per claim / $2M aggregate, plus cyber liability coverage. Certificate available on request and we’ll attach it to your engagement letter.

Are you a registered business?

Yes, registered in Ontario. We provide the business registration on every engagement letter. HST registration is in place. Canadian invoices show HST as a line item.

Where are you based?

Toronto. We serve Canadian and US service businesses primarily, with most work happening remotely over video calls and shared documents. Time zones from Pacific to Eastern work cleanly; we’re not the right fit for Asia or European-based teams.

How do I check that you actually know what you’re doing?

Three honest answers:

  1. The discovery call. We’ll talk about your setup and you’ll quickly know whether the conversation feels substantive or sales-y.
  2. Ask us a specific question. “How would you set up onboarding for a new hire on Google Workspace?” or “How would you approach our email security?” A vague answer is a red flag.
  3. Look at the work. We’ll happily share an example runbook (sanitized of any client identifying details) so you can see what the actual deliverable looks like.
Will my data leave Canada (or my country)?

For the tools we recommend (Google Workspace, Microsoft 365, 1Password, etc.), data residency follows the vendor’s policies. Usually U.S. or multi-region by default. For documentation we create on your behalf, it lives in your tenant, which means your data residency policies apply.

If data residency matters for your business, tell us on the discovery call and we’ll plan around it.

Still have questions?

Book the 30-minute call. We’d rather you ask a question we missed than guess from a website.

Book a 30-min call Email us