Municipal Ledger FAQ
For city staff using the ledger day-to-day, and for the city attorneys, finance directors, and procurement officers reviewing it.
§ 01 ·About the tool
What is TenYear?
A web-based workflow tool that helps city finance staff manage System Development Charge credits: recording issuances, monitoring expirations, processing transfers, and generating council and audit reports. It is software that supports your existing process, not a system of authority. Every credit decision is still made by City staff under state law.
How does it fit with what we already use?
TenYear runs alongside your ERP, permitting, and accounting systems. It does not replace your accounting system, your official record of authority, or any internal records the City elects to maintain. It gives staff a faster way to do the credit-specific work and produces clean exports for the records your city already keeps.
Who's behind it?
TENYEAR LLC, an Oregon limited liability company (Oregon Secretary of State Registry #253294293). Contact: legal@tenyear.app.
Who is it for?
Cities, counties, and special districts in Oregon and Washington that issue SDC credits (ORS 223) or impact fee credits (RCW 82.02). The same workflow applies to credits in other states. We will add jurisdiction-specific statutory references when you request them.
§ 02 ·Day-to-day operations
What can staff actually do in the ledger?
Record new credits with all relevant detail (resolution number, fee type, district, holder, value, project, expiration). Process transfers with city approval where required. Attach supporting documents (resolution PDFs, issuance letters, permits, correspondence). View an immutable audit timeline of every change. Generate council reports and quarterly summaries. Export everything to CSV at any time.
How do I add a credit?
Sign in, open the Credits view, click "Add Credit", and fill in the form. Required fields are credit number, fee type, holder, original value, issued date, and expiration date. Optional fields cover project name, address, district, resolution number, and notes. The credit appears immediately in the inventory and the issuance is recorded in the audit log.
How do I process a transfer?
Open the credit, choose "New Transfer", enter amount, the receiving holder, and the project the credit is being applied to. If your city requires transfer approval, the transfer enters a "pending" queue for an administrator to review. Once approved, the credit's remaining value is decremented and the transfer is recorded immutably.
Can I import existing credits?
Yes. The import wizard accepts CSV and Excel files. It auto-detects column headers, lets you map fields, validates each row, flags duplicates, and shows you a preview before commit. Most cities are fully imported in one session. The first import is logged with the filename, total rows, imported count, skipped count, and errors so you can audit what landed.
Can multiple staff work in it at the same time?
Yes. Concurrent edits are supported. Each action is timestamped to the second and attributed to the staff member who performed it; if two people change the same field within a moment of each other, the audit log shows both events.
How do reminders and alerts work?
The ledger watches expiration dates and notifies staff (and credit holders, where contact info is on file) at five tiers before expiration: 12 months, 6 months, 3 months, 30 days, and 14 days. Notifications are emails, not changes to the ledger; the credit only changes state when staff act.
Can I attach documents to a credit?
Yes. Attach the resolution authorizing the credit, the issuance letter to the holder, permits, agreements, correspondence, or any other PDF/image. Attached files are stored encrypted and exported alongside the credit data.
How do I generate a council report?
Reports view, choose the period, generate a council-ready summary or a flat data export. Download as CSV or PDF. You can also schedule reports to be emailed automatically on a weekly, biweekly, monthly, or quarterly cadence to a list of recipients.
What does the audit log show, and can I trust it?
Every action: who, when, what changed (before and after value), and the actor's IP address. The audit log is append-only at the database layer: a rejection trigger blocks any UPDATE or DELETE attempt, including by TenYear staff. You can export the audit log as CSV at any time.
What if a staff member enters something incorrectly?
Make a correction the same way you would in any ledger: enter the correcting action. The audit log shows the original entry, the correction, and the actor. Records management considers both events together. The City controls who has admin rights and how corrections are made; that is a municipal records decision, not a TenYear one.
Can I revoke or cancel a credit (city error in original issuance)?
Yes. Open the credit and set its status to "cancelled" (administratively retired) or "suspended" (under review). Both states block further transfers. The status change is recorded immutably in the audit log alongside the original issuance, so the record of why the credit was retired survives.
§ 03 ·Roles and team access
What roles exist?
Two roles for municipal users: administrator and staff. Administrators can change city settings, invite or remove team members, configure transfer approval, schedule reports, export data in bulk, and initiate termination. Staff can do day-to-day work: record credits, process transfers, view reports, export per-credit history. The City decides who holds each role.
How do I invite a colleague?
In Staff settings (administrator only), enter their work email, choose the role, and send. They receive an invitation email and sign in at /ledger using a magic link sent to that same address. No password to manage. You can remove a staff member from the same page at any time.
How do I remove someone who left?
Same Staff settings page, "Remove". Their access is revoked immediately. Any records they created remain intact and continue to show their identity in the audit log; that is by design for records retention.
Can I give a council member or an attorney one-off read-only access?
Yes. Invite them as Staff (the staff role is read/write but they do not need to use write features). For purely read-only access, use the export tools to send them a CSV instead. We may add a dedicated read-only role later; tell us if you need it now.
Can my staff sign in with our SSO / Google Workspace?
Yes for Google Workspace (Google OAuth is supported). For Microsoft / Okta / generic SAML, contact us; SSO with major IdPs is on the roadmap and we can prioritize for cities that need it.
§ 04 ·Authority and decision-making
Does TenYear control SDC credits?
No. The City issues, values, transfers, and expires every credit under state law (ORS 223.297 to 223.314 in Oregon; RCW 82.02.050 to 82.02.100 in Washington). TenYear records the decisions your authorized staff make. It does not make them.
Does using TenYear delegate any governmental authority?
No. Section 11 of the Municipal Terms expressly reserves all SDC credit authority to the City. Nothing in the agreement transfers, assigns, or shares that authority with TenYear or any third party.
Are any decisions automated?
No. There are no automated approvals, AI-generated valuations, or algorithmic transfer decisions. Staff click an action; the system records it. Expiration alerts and reports are notifications and reads. They do not change the ledger.
§ 05 ·Data ownership and use
Who owns the data?
The City. 100%. TenYear claims no ownership interest and uses the data only to operate the ledger for you.
Do you sell, share, or analyze our data?
No. We do not sell, share, license, sublicense, or distribute City data. We do not use it for analytics across cities, advertising, benchmarking products, or AI/model training. There are no exceptions buried in the terms.
Where is the data stored, and who hosts it?
United States, on managed infrastructure (Turso/libSQL with logical isolation per city).
Who else touches city ledger data?
Turso (managed database, US), Railway (application hosting, US), Resend (transactional email), Sentry (error monitoring). Stripe and DocuSign are used only on the separate buyer/seller marketplace and do not receive city ledger data. Google OAuth is optional. An updated subprocessor list is available at privacy@tenyear.app.
Do TenYear staff have access to our data?
TenYear engineering staff do not read the contents of City records as part of routine operations. Deploys, monitoring, and infrastructure work do not require reading data. If you open a support ticket that requires us to look at a specific record, we ask for explicit authorization first and we record the read in our internal audit trail.
§ 06 ·Public records and retention
Are records in TenYear public records?
The records you create in TenYear are City records, subject to your jurisdiction's public records law just like any other financial record. The platform is a tool the City uses to maintain those records; the records belong to the City.
How do we respond to a public records request?
Two paths. Your administrators can self-serve unlimited CSV exports of credits, transfers, audit logs, and import history at any time. Or you can email us and we will provide the export within 5 business days at no charge. Either way, the City controls disclosure.
Does this comply with our retention schedule?
Yes. TenYear retains all City data for the agreement term plus 7 years, or your retention schedule, whichever is longer. This exceeds both Oregon (OAR 166-200-0215, 10-year financial records) and Washington (CORE v5.0) minimums. All records are exportable in CSV for archival ingestion.
Who keeps records after we leave?
You do. On termination you receive a complete export, and TenYear certifies deletion of all City data within 30 days with written confirmation. Retention obligations stay with the City; TenYear does not retain a duplicate copy of your data after wind-down.
§ 07 ·Security
How is the data secured?
Per-city logical database isolation, TLS 1.2+ in transit, encryption at rest, role-based access, immutable audit logs (actor, timestamp, IP), email-verified authentication, and US hosting. Section 8 of the Municipal Terms is the binding version.
Are you SOC 2 / StateRAMP / FedRAMP certified?
Not yet. We are an early-stage company; formal third-party certifications are on the roadmap as our city customer base grows. Cities that need certification today often start with a no-cost pilot under their existing vendor risk policy and migrate to a certified deployment once available. We are transparent about this rather than implying coverage we do not have.
What's the breach notification policy?
72 hours from discovery, in writing, including the nature of the breach, data affected, remediation steps, and prevention measures. This is contractual (Section 9), not best-effort.
Do you carry insurance?
Not currently. We are an early-stage company and have not yet bound general liability, cyber liability, or errors-and-omissions coverage. We will bind appropriate coverage before any paid engagement, and we are willing to bind earlier if requested by the City as a condition of executing the agreement. Certificates will be provided to City risk management once coverage is in force.
§ 08 ·Liability and indemnity
Do we have to indemnify TenYear?
No. The Municipal Terms expressly do not require City indemnification (Section 10). This is non-negotiable from our side; we do not ask cities to indemnify us.
What's TenYear's liability?
TenYear is liable for direct damages caused by our negligence or willful misconduct. We do not seek consequential or punitive damages from cities. Our liability is not capped at a token amount that would leave the City covering losses caused by our errors. (See the insurance question above for the current state of our coverage.)
Where are disputes resolved?
Your state's law, your jurisdiction's courts. No mandatory arbitration, no out-of-state venue, no choice-of-law gymnastics.
§ 09 ·Contracting and procurement
Does adopting TenYear require an RFP?
That depends on your procurement policy for no-cost agreements; many cities have a streamlined path. Common starting question: "What is our process for approving a no-cost software agreement with an outside vendor?" We are happy to provide whatever documentation procurement needs.
Can we use our standard vendor agreement or IGA template?
Yes. We sign cities' standard vendor agreements and intergovernmental agreement templates routinely; it is often faster than negotiating ours. Send the template to legal@tenyear.app.
What changes can TenYear make to the terms unilaterally?
None that affect cost or material rights. Material changes require 90 days written notice (Section 12), and the City can terminate without penalty if it disagrees. The core ledger is contractually committed to remain free under Section 2 of the Municipal Terms; this commitment survives change of control.
What happens if TenYear is acquired?
The City's terms, including data ownership, no indemnification, free access to core ledger features, and termination rights, survive any change of control. If a successor proposed terms we would not sign, the City would have the same termination and full-export rights it has today.
§ 10 ·Continuity, support, and operations
What if we want to leave?
Terminate any time, no penalty. Full data export in CSV. Certified deletion within 30 days with written confirmation. The administrator settings page has a "Terminate ledger" action that produces the final export immediately and starts the 30-day clock.
What if TenYear shuts down or stops the service?
180 days written notice. Full ledger access and export functions remain available throughout the wind-down. You leave with everything you put in, in standard formats.
Is there any vendor lock-in?
No. The data model is documented, exports are CSV, and the City can take its records to any system (including back to spreadsheets) without our cooperation.
How do we get help?
Email support@tenyear.app for operator questions (how do I, why isn't this working, can you check). Email legal@tenyear.app for contracting and policy questions. We aim for first response within 1 business day; complex questions may take longer to fully resolve.
What about outages?
We monitor production continuously and respond to incidents with the same 72-hour breach-notification clock the Municipal Terms commit to. For non-breach outages (the platform is unreachable, slow, or returning errors), we publish status updates via email to administrators and aim to resolve within hours, not days. There is no formal uptime SLA; the platform is free, and a paid SLA is part of the conversation if your city wants one.
§ 11 ·The TenYear marketplace (separate product)
What is the marketplace?
A separate web product where private parties (typically developers) can list SDC credits for sale and where buyers can find them. The marketplace runs on a different surface than the city ledger and uses different subprocessors (Stripe for payments, DocuSign for purchase agreements). It exists at tenyear.app/browse when enabled.
Are we required to participate?
No. The marketplace is opt-in for private parties who hold credits. Cities are not parties to those transactions. The City's role does not change: when a marketplace transfer requires city approval (per ORS 223 / RCW 82.02 and your local ordinance), the buyer or seller submits the transfer through the same approval workflow your staff already use.
Does the marketplace affect our authority over transfers?
No. Every transfer that hits your jurisdiction goes through the same approval queue and the same staff decision. The marketplace is upstream of the transfer; the city decision is unchanged.
Does the marketplace see our ledger data?
No. The marketplace and the city ledger are separate products with separate subprocessors. Stripe and DocuSign never receive city ledger data. The only shared data is what already passes through the City: when a marketplace transfer is submitted to your city, the buyer and seller identities and the credit number show up in your transfer queue, the same way they would for a phone call or paper submission.
§ 12 ·Onboarding
How do we get started?
Sign up with city email, invite your team, and import existing credits via CSV. Most teams are set up the same day; the actual time depends on the size of your existing credit inventory and how it is currently kept. The import wizard auto-detects columns and validates data. We are happy to do a 30-minute live walk-through with the team if that helps.
What does my CSV need to look like?
Anything reasonable. The wizard auto-detects columns by name (case-insensitive, fuzzy matched), lets you re-map any field, and previews the result before commit. If your data is in Excel, paste the relevant tab into a single sheet and export to CSV. If your data is on paper or in a PDF, scan and we can help triage from there.
Will we need IT support?
Browser-only. No installation, no on-premise components, no integration work required for the core ledger. If you want to integrate with permitting or ERP later, that is optional and additive. Most setups do not involve your IT department at all.
What if it doesn't work for us?
Terminate, export, walk away. No cost, no obligation. We would rather you leave easily than feel stuck.