intermediate
faq
compliance
MDS

FAQ

Common questions about MDS 2.0, GBFS 3.0, Policy ingestion, real-time enforcement, the city portal, pricing, and Ride Report certification.

Levy Fleets TeamMay 18, 202611 min read

FAQ

General

Do I need this if my city doesn't require MDS yet?

Probably yes within 12 months. Tier-1 cities (LA, SF, Seattle, Chicago, Denver, Minneapolis, NYC) already require MDS 2.0 and GBFS 3.0 in new permits. Tier-2 cities are following the OMF permit template, which mandates the same. Onboarding now means your stack is ready when the city RFP drops.

Does Levy Compliance replace my permit lawyer?

No. We handle the technical compliance — the MDS endpoints, the Policy ingestion, the real-time enforcement, the reporting. Your lawyer handles the legal review, your insurance broker handles the coverage, and you maintain the city relationship. We are explicitly a non-goal on those fronts.

Will my existing operator zones still work?

Yes. Operator zones (parking, no-parking, slow, no-go, ride zones) continue to function exactly as before. Policy ingestion adds a new tier of zones on top, at a higher priority. When the two overlap, the city wins — but only at the overlap; your zones outside the overlap remain in effect. See Stacked Geofence Priority.

Can I run city compliance for some markets but not others?

Yes. The active flag on mds_jurisdictions lets you pause polling for a jurisdiction without deleting it. Cities you're not yet permitted in don't need a jurisdiction row at all. Levy Compliance is per-jurisdiction, not per-subaccount.

MDS Provider

Why are you on MDS 2.0.1 and not 2.1?

MDS 2.0.1 is current as of the OMF's latest release. 2.1 is in working-group draft. We track 2.1 in a separate branch and will ship it when OMF promotes it — at which point we'll also publish a versioned route prefix so cities can adopt at their own pace.

Why do you use both bearer tokens and JWTs?

Bearer is the primary auth — it's been the de-facto MDS Provider auth scheme for years, and most city systems are already set up for it. The signed JWT on every response is an additional integrity proof for cities that want one. They can ignore the JWT and use bearer-only, or verify both.

How often should JWKS keys rotate?

Annually is the recommended cadence, matching OMF guidance. Rotation is non-blocking — we publish active + grace-window keys both, so cities have a 7-day window to refresh their JWKS cache. See JWKS Key Management.

Does Cloudflare proxy these endpoints?

Yes. All public MDS endpoints sit behind the existing Cloudflare layer for DDOS and bot mitigation. Bearer-token rate limits at 60 req/min apply on top.

GBFS

Do I have to migrate consumers from 2.x to 3.0?

No. Both feeds publish in parallel. Existing 2.x consumers continue without change. Cities requesting 3.0 are pointed at the /v3/ URL.

Will GBFS 3.0 break my mobile app?

The customer mobile app reads GBFS 3.0 by default. If you maintain a third-party consumer that's on 2.x, leave them on 2.x — the legacy feed isn't going away. The GBFS spec itself supports multi-version coexistence via manifest.json.

Where does vehicle_type_id come from?

vehicle_models.gbfs_type_id. Set this per model in Settings -> Vehicle Models. If unset, the vehicle is omitted from vehicle_status.json — visible only as an aggregate in system_information.json.

Policy ingestion

How frequently is the city's feed polled?

Every 60 seconds by default. Each mds_jurisdictions.poll_interval_s can override that — minimum 30 seconds, maximum 600. We use sha256 short-circuit on byte-identical payloads so steady-state polling is essentially free.

What if the city's feed goes offline?

The last successfully ingested policies remain in effect. After 3 consecutive failed polls (3 minutes of downtime), we alert via Sentry + Slack. The previous state is never rolled back; we wait until the feed comes back and we can re-ingest cleanly.

Can I edit the policies imported from a city?

No — the operator UI does not expose write actions on mds_policies or policy_geofences. Those rows are owned by the city's Policy feed. To change them, the city updates their feed; we re-ingest on the next poll.

What if the city publishes a retroactive policy?

We apply it at ingestion time (now), log a late_activation warning in the audit, and never back-date enforcement events. If the city's policy claims start_date = 2026-01-01 and we ingest on 2026-05-18, enforcement begins 2026-05-18 — we don't pretend to have enforced for the prior months.

What if two cities overlap?

Operator at the SF/Oakland border, for example. Each mds_jurisdictions.geometry defines a boundary; a vehicle in the overlap inherits both jurisdictions' rules, resolved via the priority ladder. In practice the city tiers are the same (1000-tier), so the strictest of the two rules wins.

Real-time enforcement

What's the latency target?

<10s p95 from policy activation to first IoT command sent. OKAI ~3-5s, Omni ~5-8s, Queclink ~5-8s, ZIMO depends on MQTT broker, Segway BLE-relay can spike to 30s+. We document Segway's gap to cities up front.

Does enforcement work on vehicles that are offline?

No. The 5-minute stale-GPS skip is by design. When the vehicle wakes up and sends a fresh GPS, the existing zone-crossing engine picks up the policy geofence and dispatches the command. No command is lost — it just arrives when the vehicle is reachable.

Will riders be notified?

Yes. In-app push notifications fire when a rider enters a city slow-zone or no-ride zone. The message includes a "City" prefix so riders can distinguish operator zones from city policy. See Real-Time Speed Enforcement.

Can I override enforcement for a single vehicle?

Yes — Vehicle detail -> Compliance actions -> Set speed limit issues a setSpeedLimit() directly, logged with action = 'manual_override' and a reason note. The override expires on the next zone-crossing event.

City portal

Can cities edit anything?

No. The portal is read-only. Cities edit their own Policy feed; we re-ingest. The portal exists so cities can see their fleet, their trips, their corrals, and their compliance score in real time.

How do I add a second contact for the same jurisdiction?

Operator dashboard -> Compliance -> Jurisdiction detail -> City contacts -> Add. Each contact gets independent magic-link auth and an independent digest cadence.

Can I revoke access mid-session?

Yes. Set portal_access = false on the contact row. Active session cookies become invalid immediately; the contact is logged out on the next request.

Is the portal available in non-English languages?

en and es at launch. Additional locales fall back to English. The contact's locale field on city_contacts controls both portal language and digest email language.

Digests + reports

What's the difference between a digest and a compliance-report API call?

A digest is the proactive email Levy sends on cadence. The compliance-report API is a pull endpoint cities call when they need a report ad-hoc. Both render from the same buildComplianceReport() shape.

How long are reports retained?

city_compliance_reports is retained indefinitely. This is the city's audit trail; we don't garbage-collect it.

Can I generate a custom report?

Custom report formats (CSV exports beyond the built-in trip report, equity-zone deep-dives, etc.) are roadmap. Today the built-in formats cover the most-asked-for city formats. For one-offs, query the underlying tables directly via the Partner API.

Pricing + packaging

Is this included in my plan?

Bundled with the Enterprise tier if you have at least one active jurisdiction. For Pro and below, it's a $200/month per-jurisdiction add-on plus a one-time $500 onboarding fee per new city.

Do cities pay anything?

No. The MDS Provider feed, the GBFS 3.0 feed, the city portal, and digest emails are free to the city. This is permit-eligibility infrastructure, not revenue.

What about Ride Report Certified fees?

If you opt in to Ride Report Certified status, that fee is passed through to you at cost (it varies by Ride Report's pricing tier). We don't mark it up.

Ride Report Certified

What is Ride Report Certified?

Ride Report's program that audits an operator's compliance stack against a checklist (endpoint correctness, latency SLOs, complaint-handling proof) and issues a certified badge. Several city RFPs now reference this badge as a permit qualifier.

When can I apply for it?

After Phase 1+2 (MDS Provider + GBFS 3.0) are live and validated. The audit covers endpoints, latency, and reporting fidelity. Levy provides the technical evidence; you handle the application.

Do you guarantee certification?

No — the certification is between you and Ride Report. We guarantee that the underlying stack is conformant and that we'll fix any gaps surfaced during the audit. In practice, operators on the latest Levy Compliance build pass.

Anything else?

Hit support@levyelectric.com or your account team. For city-side technical questions, cities can email the same address — we treat city support as first-class.

Help Center Home|Back to City Compliance & MDS

Related Articles

Levy Compliance Overview

What Levy Compliance does, how MDS 2.0 Provider, GBFS 3.0, city Policy ingestion, and real-time enforcement fit together for permitted operators.

12 min read
intermediate
city compliance

Permit-Condition Reports

How permit_conditions rows drive the daily compliance scoreboard — fleet cap, equity-zone deployment, complaint SLA, EOD trip report, and corral utilization.

13 min read
intermediate
city compliance

Troubleshooting

When MDS endpoints, Policy ingestion, enforcement, the city portal, or digest emails misbehave — the canonical checklist.

14 min read
advanced
city compliance