Hiring help should make your life simpler.
But if you’ve ever worked with a vendor who talked a big game, locked you into a contract, asked for “admin access to everything,” and then disappeared when you had questions… you already know how this goes.
This post is your marketing agency checklist. Not a hype piece. Just the practical stuff that protects your budget, your brand, and your accounts.
If an agency is solid, they won’t be offended by any of this. They’ll be relieved you’re organized.
Start here: what are you actually hiring them to do?
Before you talk packages, decide what problem you’re solving. Otherwise you’ll end up paying for “everything” and feeling unclear about what you got.
Write down one sentence:
- We are hiring help because __________________________.
Examples:
- “We need consistent content and someone to manage comments and DMs.”
- “We want more qualified leads from local search.”
- “Our ads are spending money but we don’t trust the tracking.”
- “Our website is outdated and not converting.”
If you need clarity on what you actually need (social, SEO, web, ads), that’s a strategy conversation—before deliverables. That’s how we approach it at Stark: one system, not random tasks. (See SEO and web design if you’re tightening the foundation.)
The contract checklist (so you don’t get trapped)
Most bad agency experiences don’t start with bad intentions. They start with vague contracts.
Here’s what to look for before you sign anything:
1) Term + exit terms
- Is it month-to-month, or a long contract?
- If it’s long, what’s the reason (and what’s the escape hatch)?
- What notice is required to cancel?
- Are there “setup fees” that magically appear if you leave?
Long contracts aren’t automatically evil. But if you’re being pushed into one before they’ve proven value, that’s a signal.
2) Deliverables you can actually understand
If a contract says “content creation” or “SEO,” that’s not a deliverable. That’s a category.
Ask for specifics:
- How many pieces? What type? Where do they get published?
- Who writes, who approves, and what’s the timeline?
- What happens if you don’t like the work?
- What does “management” include (comments, DMs, reporting, community)?
3) Ownership: you keep what you paid for
Make sure the contract states clearly:
- You own your creative assets.
- You own your ad accounts and data.
- You own your website, domain, and hosting access.
- You can leave without losing your infrastructure.
If the agency “owns” your ad account, your pixels, your domain, or your website build in a way that prevents you from taking it with you… pause.
The access checklist (so you don’t lose your own accounts)
This is the part most businesses don’t think about until it’s too late.
Here’s the rule: no shared passwords. Not for email. Not for social. Not for the website. Not for ads.
Instead, access should be granted through proper roles and permissions:
- Meta Business Manager: partner access, role-based permissions.
- Google: add users to Analytics/Search Console/Ads with appropriate roles.
- Website (WordPress, etc.): user accounts with the lowest necessary permissions.
- Domain/hosting: separate logins, documented access, and clear ownership.
Before you begin, ask for an “access map” in writing:
- What accounts do you need access to?
- What level of access do you need (admin vs editor)?
- Who on your team will have access?
- How will access be removed when the relationship ends?
A professional team will already have a process for this. If they don’t, you’re taking on risk you don’t need.
The security checklist (this is non-negotiable)
Marketing agencies touch the keys to your business: your website, your email, your ad spend, your social presence, and your customer messages.
So yes—security is part of hiring.
Minimum security standards
- Two-factor authentication (2FA) enabled on email, hosting, CMS, Meta, Google, and any password manager.
- Unique passwords for every system (no repeats).
- Role-based access (no “everyone is admin” situations).
- Offboarding process in writing (remove access immediately on termination).
If you need a quick way to create stronger passwords, we keep a free tool here: Password Generator.
Questions to ask (and the answers you want)
- “Do you use 2FA?” → Yes, everywhere it’s available.
- “How do you store passwords?” → A password manager, not spreadsheets, not email.
- “Who will have access?” → Named people, not “our team.”
- “What happens if someone leaves your company?” → Access is removed immediately and audited.
If they get weird about this, that’s the answer.
Red flags (the quiet ones that matter)
- They promise outcomes they can’t control. (“Guaranteed #1 ranking,” “guaranteed leads.”)
- They can’t explain what they’re doing in plain language.
- They push a long contract immediately.
- They want full admin access by default.
- They avoid talking about tracking and attribution.
- They report activity instead of impact. (Lots of “work done,” little business movement.)
Green flags look boring:
- Clear plan, clear scope, clear expectations.
- Documentation.
- Simple reporting tied to real business goals.
- Respect for your brand voice and your time.
A simple “copy/paste” agency email
If you want to make this easy, here’s a short message you can send to any agency you’re considering:
Hi — before we move forward, can you confirm the contract term and cancellation policy, list deliverables in plain language, and outline what access you need (and how you handle permissions + offboarding)? Also confirm you require 2FA and use a password manager. Thank you.
If they respond clearly and quickly, good sign. If they dodge, that’s also useful information.
If you want a second opinion
If you’re about to sign with an agency and you want a quick “does this look normal?” check, we’re happy to take a look. Calm, direct, no pressure.
Start a conversation. If we’re not the right fit, we’ll tell you that too.
