From df905ff698765e13519d10a60020811c1eba093f Mon Sep 17 00:00:00 2001
From: Leszek Pietrzak <leszek@magicznyleszek.xyz>
Date: Wed, 13 Nov 2024 14:02:02 +0100
Subject: [PATCH 1/8] style(universalTable) use Array<T> for columns prop
 (#5260)

---
 .../universalTable/paginatedQueryUniversalTable.component.tsx   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jsapp/js/universalTable/paginatedQueryUniversalTable.component.tsx b/jsapp/js/universalTable/paginatedQueryUniversalTable.component.tsx
index b5775af594..e53245b3d5 100644
--- a/jsapp/js/universalTable/paginatedQueryUniversalTable.component.tsx
+++ b/jsapp/js/universalTable/paginatedQueryUniversalTable.component.tsx
@@ -18,7 +18,7 @@ interface PaginatedQueryUniversalTableProps<DataItem> {
   // Below are props from `UniversalTable` that should come from the parent
   // component (these are kind of "configuration" props). The other
   // `UniversalTable` props are being handled here internally.
-  columns: UniversalTableColumn<DataItem>[];
+  columns: Array<UniversalTableColumn<DataItem>>;
 }
 
 const PAGE_SIZES = [10, 30, 50, 100];

From 9c51f17cf942e1932f6068c634167825da2fd700 Mon Sep 17 00:00:00 2001
From: James Kiger <68701146+jamesrkiger@users.noreply.github.com>
Date: Wed, 13 Nov 2024 10:27:42 -0500
Subject: [PATCH 2/8] refactor(organizations): add configurable redirect route
 to org validator TASK-975 (#5262)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### 📣 Summary
Makes the `ValidateOrgPermissions` component require a redirect route so
it can be used outside of the account settings area of the app. Moves
the component file to the root router folder.

### 💭 Notes
I made the redirect route a required prop. Previously redirect was a
boolean that defaulted to true. We don't currently have any use case for
not doing a redirect with this component and requiring it reduces
boolean checks.

---------

Co-authored-by: Leszek Pietrzak <leszek@magicznyleszek.xyz>
---
 jsapp/js/account/routes.tsx                   | 20 +++++++++++++++----
 .../validateOrgPermissions.component.tsx      | 15 ++++++--------
 2 files changed, 22 insertions(+), 13 deletions(-)
 rename jsapp/js/{account/organizations => router}/validateOrgPermissions.component.tsx (74%)

diff --git a/jsapp/js/account/routes.tsx b/jsapp/js/account/routes.tsx
index 1046d5ed85..ba5f3a313e 100644
--- a/jsapp/js/account/routes.tsx
+++ b/jsapp/js/account/routes.tsx
@@ -1,7 +1,7 @@
 import React from 'react';
 import {Navigate, Route} from 'react-router-dom';
 import RequireAuth from 'js/router/requireAuth';
-import {ValidateOrgPermissions} from 'js/account/organizations/validateOrgPermissions.component';
+import {ValidateOrgPermissions} from 'js/router/validateOrgPermissions.component';
 import {OrganizationUserRole} from './stripe.types';
 import {
   ACCOUNT_ROUTES,
@@ -36,7 +36,10 @@ export default function routes() {
         index
         element={
           <RequireAuth>
-            <ValidateOrgPermissions validRoles={[OrganizationUserRole.owner]}>
+            <ValidateOrgPermissions
+              validRoles={[OrganizationUserRole.owner]}
+              redirectRoute={ACCOUNT_ROUTES.ACCOUNT_SETTINGS}
+            >
               <PlansRoute />
             </ValidateOrgPermissions>
           </RequireAuth>
@@ -47,7 +50,10 @@ export default function routes() {
         index
         element={
           <RequireAuth>
-            <ValidateOrgPermissions validRoles={[OrganizationUserRole.owner]}>
+            <ValidateOrgPermissions
+              validRoles={[OrganizationUserRole.owner]}
+              redirectRoute={ACCOUNT_ROUTES.ACCOUNT_SETTINGS}
+            >
               <AddOnsRoute />
             </ValidateOrgPermissions>
           </RequireAuth>
@@ -63,6 +69,7 @@ export default function routes() {
                 OrganizationUserRole.owner,
                 OrganizationUserRole.admin,
               ]}
+              redirectRoute={ACCOUNT_ROUTES.ACCOUNT_SETTINGS}
             >
               <DataStorage activeRoute={ACCOUNT_ROUTES.USAGE} />
             </ValidateOrgPermissions>
@@ -78,6 +85,7 @@ export default function routes() {
                 OrganizationUserRole.owner,
                 OrganizationUserRole.admin,
               ]}
+              redirectRoute={ACCOUNT_ROUTES.ACCOUNT_SETTINGS}
             >
               <DataStorage
                 activeRoute={ACCOUNT_ROUTES.USAGE_PROJECT_BREAKDOWN}
@@ -108,7 +116,10 @@ export default function routes() {
             path={ACCOUNT_ROUTES.ORGANIZATION_MEMBERS}
             element={
               <RequireAuth>
-                <ValidateOrgPermissions mmoOnly>
+                <ValidateOrgPermissions
+                  mmoOnly
+                  redirectRoute={ACCOUNT_ROUTES.ACCOUNT_SETTINGS}
+                >
                   <div>Organization members view to be implemented</div>
                 </ValidateOrgPermissions>
               </RequireAuth>
@@ -124,6 +135,7 @@ export default function routes() {
                     OrganizationUserRole.admin,
                   ]}
                   mmoOnly
+                  redirectRoute={ACCOUNT_ROUTES.ACCOUNT_SETTINGS}
                 >
                   <div>Organization settings view to be implemented</div>
                 </ValidateOrgPermissions>
diff --git a/jsapp/js/account/organizations/validateOrgPermissions.component.tsx b/jsapp/js/router/validateOrgPermissions.component.tsx
similarity index 74%
rename from jsapp/js/account/organizations/validateOrgPermissions.component.tsx
rename to jsapp/js/router/validateOrgPermissions.component.tsx
index 8d2e83792e..a35ba98f1b 100644
--- a/jsapp/js/account/organizations/validateOrgPermissions.component.tsx
+++ b/jsapp/js/router/validateOrgPermissions.component.tsx
@@ -1,15 +1,14 @@
 import React, {Suspense, useEffect} from 'react';
 import {useNavigate} from 'react-router-dom';
 import LoadingSpinner from 'js/components/common/loadingSpinner';
-import {ACCOUNT_ROUTES} from 'js/account/routes.constants';
 import {useOrganizationQuery} from 'js/account/stripe.api';
-import {OrganizationUserRole} from '../stripe.types';
+import {OrganizationUserRole} from '../account/stripe.types';
 
 interface Props {
   children: React.ReactNode;
+  redirectRoute: string;
   validRoles?: OrganizationUserRole[];
   mmoOnly?: boolean;
-  redirect?: boolean;
 }
 
 /**
@@ -19,9 +18,9 @@ interface Props {
  */
 export const ValidateOrgPermissions = ({
   children,
+  redirectRoute,
   validRoles = undefined,
   mmoOnly = false,
-  redirect = true,
 }: Props) => {
   const navigate = useNavigate();
   const orgQuery = useOrganizationQuery();
@@ -30,18 +29,16 @@ export const ValidateOrgPermissions = ({
   ) : true;
   const hasValidOrg = mmoOnly ? orgQuery.data?.is_mmo : true;
 
-  // Redirect to Account Settings if conditions not met
   useEffect(() => {
     if (
-      redirect &&
       orgQuery.data &&
       (!hasValidRole || !hasValidOrg)
     ) {
-      navigate(ACCOUNT_ROUTES.ACCOUNT_SETTINGS);
+      navigate(redirectRoute);
     }
-  }, [redirect, orgQuery.data, navigate]);
+  }, [redirectRoute, orgQuery.data, navigate]);
 
-  return redirect && hasValidRole && hasValidOrg ? (
+  return hasValidRole && hasValidOrg ? (
     <Suspense fallback={null}>{children}</Suspense>
   ) : (
     <LoadingSpinner />

From 48df83ac7ee4eb50665f55a36f9942e4017f4f16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Olivier=20L=C3=A9ger?= <olivierleger@gmail.com>
Date: Wed, 13 Nov 2024 12:04:24 -0500
Subject: [PATCH 3/8] refactor(organization): use autocomplete fields in Admin
 UI for organizations TASK-965 (#5254)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### 📣 Summary
Switch to autocomplete fields for usernames instead of input fields for
user IDs.


### 📖 Description
Replaced input fields requiring user IDs with autocomplete fields for
usernames. This update simplifies the process of adding members to an
organization by allowing users to search and select members by their
usernames, rather than manually finding and entering user IDs or
OrganizationUser relationship IDs.
---
 hub/admin/extend_user.py                      |  40 ++++-
 hub/static/admin/css/inline_as_fieldset.css   |   3 +
 kobo/apps/kobo_auth/models.py                 |   2 +-
 .../apps/viewer/models/parsed_instance.py     |   2 +-
 kobo/apps/organizations/admin.py              |  64 -------
 kobo/apps/organizations/admin/__init__.py     |   7 +
 kobo/apps/organizations/admin/organization.py |  93 +++++++++++
 .../admin/organization_invite.py              |   7 +
 .../organizations/admin/organization_owner.py |  24 +++
 .../organizations/admin/organization_user.py  | 153 +++++++++++++++++
 kobo/apps/organizations/forms.py              |  23 +++
 kobo/apps/organizations/models.py             |   4 +
 kobo/apps/organizations/tasks.py              |  30 ++++
 kobo/apps/organizations/utils.py              |  24 ++-
 .../0003_create_proxy_and_add_invite_type.py  |  53 ++++++
 kobo/apps/project_ownership/models/invite.py  | 156 +++++++++++++++++-
 .../apps/project_ownership/models/transfer.py |  29 +++-
 .../project_ownership/serializers/invite.py   | 148 +----------------
 kobo/apps/project_ownership/utils.py          |  77 ++++++++-
 kobo/settings/base.py                         |   3 +
 20 files changed, 719 insertions(+), 223 deletions(-)
 create mode 100644 hub/static/admin/css/inline_as_fieldset.css
 delete mode 100644 kobo/apps/organizations/admin.py
 create mode 100644 kobo/apps/organizations/admin/__init__.py
 create mode 100644 kobo/apps/organizations/admin/organization.py
 create mode 100644 kobo/apps/organizations/admin/organization_invite.py
 create mode 100644 kobo/apps/organizations/admin/organization_owner.py
 create mode 100644 kobo/apps/organizations/admin/organization_user.py
 create mode 100644 kobo/apps/organizations/forms.py
 create mode 100644 kobo/apps/organizations/tasks.py
 create mode 100644 kobo/apps/project_ownership/migrations/0003_create_proxy_and_add_invite_type.py

diff --git a/hub/admin/extend_user.py b/hub/admin/extend_user.py
index 47116f5ede..e18e80493f 100644
--- a/hub/admin/extend_user.py
+++ b/hub/admin/extend_user.py
@@ -87,8 +87,10 @@ class OrgInline(admin.StackedInline):
         'organization',
         'is_admin',
     ]
+    can_delete = False
+    # Override H2 style to make inline section like other fieldsets
+    classes = ('no-upper',)
     raw_id_fields = ('user', 'organization')
-    readonly_fields = settings.STRIPE_ENABLED and ('active_subscription_status',) or []
 
     def active_subscription_status(self, obj):
         if settings.STRIPE_ENABLED:
@@ -98,6 +100,12 @@ def active_subscription_status(self, obj):
                 else 'None'
             )
 
+    def get_readonly_fields(self, request, obj=None):
+        readonly_fields = ['organization', 'is_admin']
+        if settings.STRIPE_ENABLED:
+            readonly_fields.append('active_subscription_status')
+        return readonly_fields
+
     def has_add_permission(self, request, obj=OrganizationUser):
         return False
 
@@ -158,6 +166,11 @@ class ExtendedUserAdmin(AdvancedSearchMixin, UserAdmin):
     )
     actions = ['remove', 'delete']
 
+    class Media:
+        css = {
+            'all': ('admin/css/inline_as_fieldset.css',)
+        }
+
     @admin.action(description='Remove selected users (delete everything but their username)')
     def remove(self, request, queryset, **kwargs):
         """
@@ -235,8 +248,9 @@ def get_queryset(self, request):
         )
 
     def get_search_results(self, request, queryset, search_term):
-
         if request.path != '/admin/auth/user/':
+            queryset = self._filter_queryset(request, queryset)
+
             # If search comes from autocomplete field, use parent class method
             return super(UserAdmin, self).get_search_results(
                 request, queryset, search_term
@@ -261,6 +275,28 @@ def monthly_submission_count(self, obj):
         ).aggregate(counter=Sum('counter'))
         return instances.get('counter')
 
+    def _filter_queryset(self, request, queryset):
+        auto_complete = request.path == '/admin/autocomplete/'
+        app_label = request.GET.get('app_label')
+        model_name = request.GET.get('model_name')
+
+        if (
+            auto_complete
+            and app_label == 'organizations'
+            and model_name == 'organizationuser'
+        ):
+            return self._filter_queryset_for_organization_user(queryset)
+
+        return queryset
+
+    def _filter_queryset_for_organization_user(self, queryset):
+        """
+        Displays only users whose organization has a single member.
+        """
+        return queryset.annotate(
+            user_count=Count('organizations_organization__organization_users')
+        ).filter(user_count__lte=1).order_by('username')
+
     def _remove_or_delete(
         self,
         request,
diff --git a/hub/static/admin/css/inline_as_fieldset.css b/hub/static/admin/css/inline_as_fieldset.css
new file mode 100644
index 0000000000..fc35ae7805
--- /dev/null
+++ b/hub/static/admin/css/inline_as_fieldset.css
@@ -0,0 +1,3 @@
+.no-upper h2 {
+  text-transform: unset;
+}
diff --git a/kobo/apps/kobo_auth/models.py b/kobo/apps/kobo_auth/models.py
index e9798b4dde..f81891682d 100644
--- a/kobo/apps/kobo_auth/models.py
+++ b/kobo/apps/kobo_auth/models.py
@@ -59,7 +59,7 @@ def organization(self):
         # Database allows multiple organizations per user, but we restrict it to one.
         if organization := Organization.objects.filter(
             organization_users__user=self
-        ).first():
+        ).order_by('-organization_users__created').first():
             return organization
 
         try:
diff --git a/kobo/apps/openrosa/apps/viewer/models/parsed_instance.py b/kobo/apps/openrosa/apps/viewer/models/parsed_instance.py
index 21d3acc45a..dd230db9e7 100644
--- a/kobo/apps/openrosa/apps/viewer/models/parsed_instance.py
+++ b/kobo/apps/openrosa/apps/viewer/models/parsed_instance.py
@@ -8,7 +8,6 @@
 from pymongo.errors import PyMongoError
 
 from kobo.apps.hook.utils.services import call_services
-from kobo.celery import celery_app
 from kobo.apps.openrosa.apps.logger.models import Instance, Note
 from kobo.apps.openrosa.libs.utils.common_tags import (
     ATTACHMENTS,
@@ -24,6 +23,7 @@
 )
 from kobo.apps.openrosa.libs.utils.decorators import apply_form_field_names
 from kobo.apps.openrosa.libs.utils.model_tools import queryset_iterator
+from kobo.celery import celery_app
 from kpi.utils.log import logging
 from kpi.utils.mongo_helper import MongoHelper
 
diff --git a/kobo/apps/organizations/admin.py b/kobo/apps/organizations/admin.py
deleted file mode 100644
index b288ad4e6a..0000000000
--- a/kobo/apps/organizations/admin.py
+++ /dev/null
@@ -1,64 +0,0 @@
-from django.contrib import admin
-from django.contrib.auth import get_user_model
-from import_export import resources
-from import_export.admin import ImportExportModelAdmin
-from import_export.fields import Field
-from import_export.widgets import ForeignKeyWidget
-from organizations.base_admin import (
-    BaseOrganizationAdmin,
-    BaseOrganizationOwnerAdmin,
-    BaseOrganizationUserAdmin,
-    BaseOwnerInline,
-)
-
-from .models import (
-    Organization,
-    OrganizationInvitation,
-    OrganizationOwner,
-    OrganizationUser,
-)
-
-User = get_user_model()
-
-
-class OwnerInline(BaseOwnerInline):
-    model = OrganizationOwner
-
-
-class OrgUserInline(admin.StackedInline):
-    model = OrganizationUser
-    raw_id_fields = ('user',)
-    view_on_site = False
-    extra = 0
-
-
-@admin.register(Organization)
-class OrgAdmin(BaseOrganizationAdmin):
-    inlines = [OwnerInline, OrgUserInline]
-    readonly_fields = ['id']
-
-
-class OrgUserResource(resources.ModelResource):
-    user = Field(
-        attribute='user',
-        column_name='user',
-        widget=ForeignKeyWidget(User, field='username'),
-    )
-
-    class Meta:
-        model = OrganizationUser
-
-
-@admin.register(OrganizationUser)
-class OrgUserAdmin(ImportExportModelAdmin, BaseOrganizationUserAdmin):
-    resource_classes = [OrgUserResource]
-
-
-@admin.register(OrganizationOwner)
-class OrgOwnerAdmin(BaseOrganizationOwnerAdmin):
-    pass
-
-
-@admin.register(OrganizationInvitation)
-class OrgInvitationAdmin(admin.ModelAdmin):
-    pass
diff --git a/kobo/apps/organizations/admin/__init__.py b/kobo/apps/organizations/admin/__init__.py
new file mode 100644
index 0000000000..debd1e39d5
--- /dev/null
+++ b/kobo/apps/organizations/admin/__init__.py
@@ -0,0 +1,7 @@
+# flake8: noqa: F401
+from .organization import OrgAdmin
+from .organization_owner import OrgOwnerAdmin
+from .organization_invite import OrgInvitationAdmin
+from .organization_user import OrgUserAdmin
+
+__all__ = ['OrgAdmin', 'OrgOwnerAdmin', 'OrgInvitationAdmin', 'OrgUserAdmin']
diff --git a/kobo/apps/organizations/admin/organization.py b/kobo/apps/organizations/admin/organization.py
new file mode 100644
index 0000000000..f538d3e628
--- /dev/null
+++ b/kobo/apps/organizations/admin/organization.py
@@ -0,0 +1,93 @@
+from django.contrib import admin, messages
+from django.db.models import Count
+from django.utils.safestring import mark_safe
+from organizations.base_admin import BaseOrganizationAdmin
+
+from kobo.apps.kobo_auth.shortcuts import User
+from .organization_owner import OwnerInline
+from .organization_user import OrgUserInline
+from ..models import (
+    Organization,
+    OrganizationUser,
+)
+from ..tasks import transfer_user_ownership_to_org
+from ..utils import revoke_org_asset_perms
+
+
+@admin.register(Organization)
+class OrgAdmin(BaseOrganizationAdmin):
+    inlines = [OwnerInline, OrgUserInline]
+    view_on_site = False
+    readonly_fields = ['id']
+    fields = ['id', 'name', 'slug', 'is_active', 'mmo_override']
+
+    def save_related(self, request, form, formsets, change):
+        super().save_related(request, form, formsets, change)
+
+        for formset in formsets:
+            if formset.prefix == 'organization_users':
+                # retrieve all users
+                member_ids = formset.queryset.values('user_id')
+                organization_id = form.instance.id
+                new_members = self._get_new_members_queryset(
+                    member_ids, organization_id
+                )
+                self._transfer_user_ownership(request, new_members)
+                self._delete_previous_organizations(new_members, organization_id)
+
+                deleted_user_ids = []
+                for obj in formset.deleted_objects:
+                    deleted_user_ids.append(obj.user_id)
+
+                if deleted_user_ids:
+                    revoke_org_asset_perms(form.instance, deleted_user_ids)
+
+    def _delete_previous_organizations(
+        self, new_members: 'QuerySet', organization_id: int
+    ):
+        new_member_ids = (new_member['pk'] for new_member in new_members)
+        Organization.objects.filter(
+            organization_users__user_id__in=new_member_ids
+        ).exclude(pk=organization_id).delete()
+
+    def _get_new_members_queryset(
+        self, member_ids: 'QuerySet', organization_id: int
+    ) -> 'QuerySet':
+
+        users_in_multiple_orgs = (
+            OrganizationUser.objects.values('user_id')
+            .annotate(org_count=Count('organization_id', distinct=True))
+            .filter(org_count__gt=1, user_id__in=member_ids)
+            .values_list('user_id', flat=True)
+        )
+
+        queryset = (
+            User.objects
+            .filter(
+                organizations_organizationuser__organization_id=organization_id
+            )
+            .filter(id__in=users_in_multiple_orgs)
+            .values('pk', 'username')
+        )
+
+        return queryset
+
+    def _transfer_user_ownership(self, request: 'HttpRequest', new_members: 'QuerySet'):
+
+        if new_members.exists():
+
+            html_username_list = []
+            for user in new_members:
+                html_username_list.append(f"<b>{user['username']}</b>")
+                transfer_user_ownership_to_org.delay(user['pk'])
+
+            message = (
+                'The following new members have been added, and their project '
+                'transfers have started: '
+            ) + ', '.join(html_username_list)
+
+            self.message_user(
+                request,
+                mark_safe(message),
+                messages.INFO,
+            )
diff --git a/kobo/apps/organizations/admin/organization_invite.py b/kobo/apps/organizations/admin/organization_invite.py
new file mode 100644
index 0000000000..c63f521576
--- /dev/null
+++ b/kobo/apps/organizations/admin/organization_invite.py
@@ -0,0 +1,7 @@
+from django.contrib import admin
+from ..models import OrganizationInvitation
+
+
+@admin.register(OrganizationInvitation)
+class OrgInvitationAdmin(admin.ModelAdmin):
+    pass
diff --git a/kobo/apps/organizations/admin/organization_owner.py b/kobo/apps/organizations/admin/organization_owner.py
new file mode 100644
index 0000000000..317c7e11df
--- /dev/null
+++ b/kobo/apps/organizations/admin/organization_owner.py
@@ -0,0 +1,24 @@
+from django.contrib import admin
+from organizations.base_admin import BaseOrganizationOwnerAdmin, BaseOwnerInline
+
+from ..models import OrganizationOwner
+
+
+class OwnerInline(BaseOwnerInline):
+    model = OrganizationOwner
+    autocomplete_fields = ['organization_user']
+
+    can_delete = False
+
+    def get_readonly_fields(self, request, obj=None):
+        """
+        Hook for specifying custom readonly fields.
+        """
+        if obj is not None and obj.pk:
+            return ['organization_user']
+        return []
+
+
+@admin.register(OrganizationOwner)
+class OrgOwnerAdmin(BaseOrganizationOwnerAdmin):
+    autocomplete_fields = ['organization_user', 'organization']
diff --git a/kobo/apps/organizations/admin/organization_user.py b/kobo/apps/organizations/admin/organization_user.py
new file mode 100644
index 0000000000..b11832478c
--- /dev/null
+++ b/kobo/apps/organizations/admin/organization_user.py
@@ -0,0 +1,153 @@
+from django import forms
+from django.conf import settings
+from django.contrib import admin, messages
+from django.db.models import Count
+from django.utils.safestring import mark_safe
+from import_export import resources
+from import_export.admin import ImportExportModelAdmin
+from import_export.fields import Field
+from import_export.widgets import ForeignKeyWidget
+from organizations.base_admin import BaseOrganizationUserAdmin
+
+from kobo.apps.kobo_auth.shortcuts import User
+from ..forms import OrgUserAdminForm
+from ..models import OrganizationUser
+from ..tasks import transfer_user_ownership_to_org
+from ..utils import revoke_org_asset_perms
+
+
+def _max_users_for_edit_mode():
+    """
+    This function represents an arbitrary limit
+    to prevent the form's POST request from exceeding
+    `settings.DATA_UPLOAD_MAX_NUMBER_FIELDS`.
+    """
+    return settings.DATA_UPLOAD_MAX_NUMBER_FIELDS // 3
+
+
+class OrgUserInlineFormSet(forms.models.BaseInlineFormSet):
+    def clean(self):
+        if self.is_valid():
+            members = 0
+            users = []
+            if len(self.forms) >= _max_users_for_edit_mode():
+                return
+
+            for form in self.forms:
+                if form.cleaned_data:
+                    members += 1
+                    users.append(form.cleaned_data['user'].pk)
+
+            if not self.instance.is_mmo and members > 0:
+                raise forms.ValidationError(
+                    'Users cannot be added to an organization that is not multi-member'
+                )
+
+            if members > 0:
+                queryset = OrganizationUser.objects.filter(user_id__in=users)
+                if self.instance.pk:
+                    queryset = queryset.exclude(organization_id=self.instance.pk)
+
+                queryset = (
+                    queryset.values('user_id')
+                    .annotate(org_count=Count('organization_id', distinct=True))
+                    .filter(org_count__gt=1)
+                )
+
+                if queryset.exists():
+                    raise forms.ValidationError(
+                        'You cannot add users who are already members of another '
+                        'multi-member organization.'
+                    )
+
+
+class OrgUserInline(admin.StackedInline):
+    model = OrganizationUser
+    formset = OrgUserInlineFormSet
+    raw_id_fields = ('user',)
+    view_on_site = False
+    extra = 0
+    fields = ['user', 'is_admin']
+    autocomplete_fields = ['user']
+
+    def get_queryset(self, request):
+        queryset = super().get_queryset(request)
+        if queryset:
+            queryset = queryset.filter(organizationowner__isnull=True)
+        return queryset
+
+    def get_readonly_fields(self, request, obj=None):
+        """
+        Hook for specifying custom readonly fields.
+        """
+        if not obj:
+            return []
+
+        if obj.organization_users.count() >= _max_users_for_edit_mode():
+            return ['user', 'is_admin']
+
+        return []
+
+    def has_add_permission(self, request, obj=None):
+        if not obj:
+            return True
+
+        return obj.organization_users.count() < _max_users_for_edit_mode()
+
+    def has_delete_permission(self, request, obj=None):
+        if not obj:
+            return True
+
+        return obj.organization_users.count() < _max_users_for_edit_mode()
+
+
+class OrgUserResource(resources.ModelResource):
+    user = Field(
+        attribute='user',
+        column_name='user',
+        widget=ForeignKeyWidget(User, field='username'),
+    )
+
+    class Meta:
+        model = OrganizationUser
+
+
+@admin.register(OrganizationUser)
+class OrgUserAdmin(ImportExportModelAdmin, BaseOrganizationUserAdmin):
+    resource_classes = [OrgUserResource]
+    search_fields = ('user__username',)
+    autocomplete_fields = ['user', 'organization']
+    form = OrgUserAdminForm
+
+    def get_search_results(self, request, queryset, search_term):
+        auto_complete = request.path == '/admin/autocomplete/'
+        app_label = request.GET.get('app_label')
+        model_name = request.GET.get('model_name')
+        if (
+            auto_complete
+            and app_label == 'organizations'
+            and model_name == 'organizationowner'
+        ):
+            queryset = queryset.annotate(
+                user_count=Count('organization__organization_users')
+            ).filter(user_count__lte=1).order_by('user__username')
+
+        return super().get_search_results(request, queryset, search_term)
+
+    def save_model(self, request, obj, form, change):
+        previous_organization = form.cleaned_data.get('previous_organization')
+        super().save_model(request, obj, form, change)
+        if previous_organization:
+            transfer_user_ownership_to_org.delay(obj.user.pk)
+            message = (
+                f'User <b>{obj.user.username}</b> has been added to '
+                f'<b>{obj.organization.name}</b>, and their project transfers have '
+                f'started'
+            )
+
+            self.message_user(
+                request,
+                mark_safe(message),
+                messages.INFO,
+            )
+            revoke_org_asset_perms(previous_organization, [obj.user.pk])
diff --git a/kobo/apps/organizations/forms.py b/kobo/apps/organizations/forms.py
new file mode 100644
index 0000000000..bf45473c91
--- /dev/null
+++ b/kobo/apps/organizations/forms.py
@@ -0,0 +1,23 @@
+from django import forms
+from django.core.exceptions import ValidationError
+from .models import OrganizationUser
+
+
+class OrgUserAdminForm(forms.ModelForm):
+    class Meta:
+        model = OrganizationUser
+        fields = '__all__'
+
+    def clean(self):
+        cleaned_data = super().clean()
+        organization = cleaned_data.get('organization')
+        user = cleaned_data.get('user')
+        if not organization.is_owner(user) and not organization.is_mmo:
+            raise ValidationError(
+                'Users cannot be added to an organization that is not multi-member'
+            )
+
+        cleaned_data['previous_organization'] = (
+            user.organization if user.organization != organization else None
+        )
+        return cleaned_data
diff --git a/kobo/apps/organizations/models.py b/kobo/apps/organizations/models.py
index d03c01bb3b..9aac437b01 100644
--- a/kobo/apps/organizations/models.py
+++ b/kobo/apps/organizations/models.py
@@ -165,6 +165,10 @@ def owner_user_object(self) -> 'User':
 
 
 class OrganizationUser(AbstractOrganizationUser):
+
+    def __str__(self):
+        return f'<OrganizationUser #{self.pk}: {self.user.username}>'
+
     @property
     def active_subscription_statuses(self):
         """
diff --git a/kobo/apps/organizations/tasks.py b/kobo/apps/organizations/tasks.py
new file mode 100644
index 0000000000..c3effa3b33
--- /dev/null
+++ b/kobo/apps/organizations/tasks.py
@@ -0,0 +1,30 @@
+from django.conf import settings
+from more_itertools import chunked
+
+from kobo.apps.kobo_auth.shortcuts import User
+from kobo.celery import celery_app
+from kobo.apps.project_ownership.utils import create_invite
+
+
+@celery_app.task(
+    queue='kpi_low_priority_queue',
+    soft_time_limit=settings.CELERY_LONG_RUNNING_TASK_SOFT_TIME_LIMIT,
+    time_limit=settings.CELERY_LONG_RUNNING_TASK_TIME_LIMIT,
+)
+def transfer_user_ownership_to_org(user_id: int):
+    sender = User.objects.get(pk=user_id)
+    recipient = sender.organization.owner_user_object
+    user_assets = sender.assets.only('pk', 'uid').iterator()
+
+    # Splitting assets into batches to avoid creating a long-running
+    # Celery task that could exceed Celery's soft time limit or consume
+    # too much RAM, potentially leading to termination by Kubernetes.
+    for asset_batch in chunked(
+        user_assets, settings.USER_ASSET_ORG_TRANSFER_BATCH_SIZE
+    ):
+        create_invite(
+            sender=sender,
+            recipient=recipient,
+            assets=asset_batch,
+            invite_class_name='OrgMembershipAutoInvite',
+        )
diff --git a/kobo/apps/organizations/utils.py b/kobo/apps/organizations/utils.py
index 42fa00f56d..4b5cc18503 100644
--- a/kobo/apps/organizations/utils.py
+++ b/kobo/apps/organizations/utils.py
@@ -1,16 +1,13 @@
-from typing import Union
-
-try:
-    from zoneinfo import ZoneInfo
-except ImportError:
-    from backports.zoneinfo import ZoneInfo
-
 from datetime import datetime
+from typing import Union
+from zoneinfo import ZoneInfo
 
 from dateutil.relativedelta import relativedelta
 from django.utils import timezone
 
 from kobo.apps.organizations.models import Organization
+from kpi.models.asset import Asset
+from kpi.models.object_permission import ObjectPermission
 
 
 def get_monthly_billing_dates(organization: Union[Organization, None]):
@@ -101,3 +98,16 @@ def get_yearly_billing_dates(organization: Union[Organization, None]):
         anchor_date += relativedelta(years=1)
     period_end = period_start + relativedelta(years=1)
     return period_start, period_end
+
+
+def revoke_org_asset_perms(organization: Organization, user_ids: list[int]):
+    """
+    Revokes permissions assigned to removed members on all assets belonging to
+    the organization.
+    """
+    subquery = Asset.objects.values_list('pk', flat=True).filter(
+        owner=organization.owner_user_object
+    )
+    ObjectPermission.objects.filter(
+         asset_id__in=subquery, user_id__in=user_ids
+    ).delete()
diff --git a/kobo/apps/project_ownership/migrations/0003_create_proxy_and_add_invite_type.py b/kobo/apps/project_ownership/migrations/0003_create_proxy_and_add_invite_type.py
new file mode 100644
index 0000000000..b6a44db49e
--- /dev/null
+++ b/kobo/apps/project_ownership/migrations/0003_create_proxy_and_add_invite_type.py
@@ -0,0 +1,53 @@
+# Generated by Django 4.2.15 on 2024-11-08 16:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            'project_ownership',
+            '0002_alter_invite_date_created_alter_invite_date_modified_and_more',
+        ),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OrgMembershipAutoInvite',
+            fields=[],
+            options={
+                'verbose_name': 'auto-invite for user project transfer to organization',
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('project_ownership.invite',),
+        ),
+        migrations.AddField(
+            model_name='invite',
+            name='invite_type',
+            field=models.CharField(
+                choices=[
+                    ('org-membership', 'Org Membership'),
+                    ('org-ownership-transfer', 'Org Ownership Transfer'),
+                    ('user-ownership-transfer', 'User Ownership Transfer'),
+                ],
+                default='user-ownership-transfer',
+                max_length=30,
+            ),
+        ),
+        migrations.AddField(
+            model_name='transfer',
+            name='invite_type',
+            field=models.CharField(
+                choices=[
+                    ('org-membership', 'Org Membership'),
+                    ('org-ownership-transfer', 'Org Ownership Transfer'),
+                    ('user-ownership-transfer', 'User Ownership Transfer'),
+                ],
+                default='user-ownership-transfer',
+                max_length=30,
+            ),
+        ),
+    ]
diff --git a/kobo/apps/project_ownership/models/invite.py b/kobo/apps/project_ownership/models/invite.py
index 593eb7955d..fdf0a91a4a 100644
--- a/kobo/apps/project_ownership/models/invite.py
+++ b/kobo/apps/project_ownership/models/invite.py
@@ -1,14 +1,39 @@
 from __future__ import annotations
 
+from constance import config
 from django.conf import settings
 from django.db import models
-from django.utils import timezone
+from django.utils.translation import gettext as t
 
 from kpi.fields import KpiUidField
 from kpi.models.abstract_models import AbstractTimeStampedModel
+from kpi.utils.mailer import EmailMessage, Mailer
 from .choices import InviteStatusChoices
 
 
+class InviteType(models.TextChoices):
+    ORG_MEMBERSHIP = 'org-membership'
+    ORG_OWNERSHIP_TRANSFER = 'org-ownership-transfer'
+    USER_OWNERSHIP_TRANSFER = 'user-ownership-transfer'
+
+
+class InviteAllManager(models.Manager):
+    pass
+
+
+class InviteManager(models.Manager):
+
+    def create(self, **kwargs):
+        return super().create(invite_type=InviteType.USER_OWNERSHIP_TRANSFER, **kwargs)
+
+    def get_queryset(self):
+        return (
+            super()
+            .get_queryset()
+            .filter(invite_type=InviteType.USER_OWNERSHIP_TRANSFER)
+        )
+
+
 class Invite(AbstractTimeStampedModel):
 
     uid = KpiUidField(uid_prefix='poi')
@@ -28,6 +53,13 @@ class Invite(AbstractTimeStampedModel):
         default=InviteStatusChoices.PENDING,
         db_index=True
     )
+    invite_type = models.CharField(
+        choices=InviteType.choices,
+        default=InviteType.USER_OWNERSHIP_TRANSFER,
+        max_length=30,
+    )
+    objects = InviteManager()
+    all_objects = InviteAllManager()
 
     class Meta:
         verbose_name = 'project ownership transfer invite'
@@ -38,3 +70,125 @@ def __str__(self):
             f'{self.recipient.username} '
             f'({InviteStatusChoices(self.status)})'
         )
+
+    @property
+    def auto_accept_invites(self):
+        return config.PROJECT_OWNERSHIP_AUTO_ACCEPT_INVITES
+
+    def send_acceptance_email(self):
+
+        template_variables = {
+            'username': self.sender.username,
+            'recipient': self.recipient.username,
+            'transfers': [
+                {
+                    'asset_uid': transfer.asset.uid,
+                    'asset_name': transfer.asset.name,
+                }
+                for transfer in self.transfers.all()
+            ],
+            'base_url': settings.KOBOFORM_URL,
+        }
+
+        email_message = EmailMessage(
+            to=self.sender.email,
+            subject=t('KoboToolbox project ownership transfer accepted'),
+            plain_text_content_or_template='emails/accepted_invite.txt',
+            template_variables=template_variables,
+            html_content_or_template='emails/accepted_invite.html',
+            language=self.recipient.extra_details.data.get('last_ui_language')
+        )
+
+        Mailer.send(email_message)
+
+    def send_invite_email(self):
+
+        template_variables = {
+            'username': self.recipient.username,
+            'sender_username': self.sender.username,
+            'sender_email': self.sender.email,
+            'transfers': [
+                {
+                    'asset_uid': transfer.asset.uid,
+                    'asset_name': transfer.asset.name,
+                }
+                for transfer in self.transfers.all()
+            ],
+            'base_url': settings.KOBOFORM_URL,
+            'invite_expiry': config.PROJECT_OWNERSHIP_INVITE_EXPIRY,
+            'invite_uid': self.uid,
+        }
+
+        email_message = EmailMessage(
+            to=self.recipient.email,
+            subject=t(
+                'Action required: KoboToolbox project ownership transfer request'
+            ),
+            plain_text_content_or_template='emails/new_invite.txt',
+            template_variables=template_variables,
+            html_content_or_template='emails/new_invite.html',
+            language=self.recipient.extra_details.data.get('last_ui_language')
+        )
+
+        Mailer.send(email_message)
+
+    def send_refusal_email(self):
+
+        template_variables = {
+            'username': self.sender.username,
+            'recipient': self.recipient.username,
+            'transfers': [
+                {
+                    'asset_uid': transfer.asset.uid,
+                    'asset_name': transfer.asset.name,
+                }
+                for transfer in self.transfers.all()
+            ],
+            'base_url': settings.KOBOFORM_URL,
+        }
+
+        email_message = EmailMessage(
+            to=self.sender.email,
+            subject=t('KoboToolbox project ownership transfer incomplete'),
+            plain_text_content_or_template='emails/declined_invite.txt',
+            template_variables=template_variables,
+            html_content_or_template='emails/declined_invite.html',
+            language=self.recipient.extra_details.data.get('last_ui_language')
+        )
+
+        Mailer.send(email_message)
+
+
+class OrgMembershipAutoInviteManager(models.Manager):
+
+    def create(self, **kwargs):
+        return super().create(invite_type=InviteType.ORG_MEMBERSHIP, **kwargs)
+
+    def get_queryset(self):
+        return (
+            super()
+            .get_queryset()
+            .filter(invite_type=InviteType.ORG_MEMBERSHIP)
+        )
+
+
+class OrgMembershipAutoInvite(Invite):
+
+    class Meta:
+        proxy = True
+        verbose_name = 'auto-invite for user project transfer to organization'
+
+    objects = OrgMembershipAutoInviteManager()
+
+    @property
+    def auto_accept_invites(self):
+        return True
+
+    def send_acceptance_email(self):
+        pass
+
+    def send_invite_email(self):
+        pass
+
+    def send_refusal_email(self):
+        pass
diff --git a/kobo/apps/project_ownership/models/transfer.py b/kobo/apps/project_ownership/models/transfer.py
index fd3505734c..4ab95dfa95 100644
--- a/kobo/apps/project_ownership/models/transfer.py
+++ b/kobo/apps/project_ownership/models/transfer.py
@@ -27,7 +27,7 @@
     TransferStatusChoices,
     TransferStatusTypeChoices,
 )
-from .invite import Invite
+from .invite import Invite, InviteType, OrgMembershipAutoInvite
 
 
 class Transfer(AbstractTimeStampedModel):
@@ -43,6 +43,16 @@ class Transfer(AbstractTimeStampedModel):
         related_name='transfers',
         on_delete=models.CASCADE,
     )
+    # The `invite_type` field is **always** copied from the `Invite` model during the
+    # save process to eliminate the need to load the related `Invite` model solely to
+    # determine its type.
+    # This optimization allows directly resolving the appropriate model with
+    # `get_invite_model()`.
+    invite_type = models.CharField(
+        choices=InviteType.choices,
+        default=InviteType.USER_OWNERSHIP_TRANSFER,
+        max_length=30,
+    )
 
     class Meta:
         verbose_name = 'project ownership transfer'
@@ -54,9 +64,18 @@ def __str__(self) -> str:
             f'{self.invite.recipient.username}'
         )
 
+    def get_invite_model(self) -> Invite | OrgMembershipAutoInvite:
+        if self.invite_type == InviteType.USER_OWNERSHIP_TRANSFER:
+            return Invite
+        if self.invite_type == InviteType.ORG_MEMBERSHIP:
+            return OrgMembershipAutoInvite
+
+        raise NotImplementedError
+
     def save(self, *args, **kwargs):
 
         is_new = self.pk is None
+        self.invite_type = self.invite.invite_type
         super().save(*args, **kwargs)
 
         if is_new:
@@ -269,8 +288,8 @@ def _update_invite_status(self):
         This method must be called within a transaction because of the lock
         acquired the object row (with `select_for_update`)
         """
-        invite = self.invite.__class__.objects.select_for_update().get(
-            pk=self.invite.pk
+        invite = self.get_invite_model().objects.select_for_update().get(
+            pk=self.invite_id
         )
         previous_status = invite.status
         is_complete = True
@@ -296,8 +315,8 @@ def _update_invite_status(self):
             if invite.status == InviteStatusChoices.FAILED:
                 send_email_to_admins.delay(invite.uid)
 
-        if previous_status != invite.status:
-            self.invite.refresh_from_db()
+            self.invite.status = invite.status
+            self.invite.date_modified = invite.date_modified
 
 
 class TransferStatus(AbstractTimeStampedModel):
diff --git a/kobo/apps/project_ownership/serializers/invite.py b/kobo/apps/project_ownership/serializers/invite.py
index 785f68c0f8..769f964250 100644
--- a/kobo/apps/project_ownership/serializers/invite.py
+++ b/kobo/apps/project_ownership/serializers/invite.py
@@ -1,9 +1,6 @@
 from __future__ import annotations
 
-from constance import config
-from django.conf import settings
 from django.contrib.auth import get_user_model
-from django.db import transaction
 from django.db.models import Max, Prefetch
 from django.utils.translation import gettext as t
 from rest_framework import exceptions, serializers
@@ -11,16 +8,15 @@
 
 from kpi.fields import RelativePrefixHyperlinkedRelatedField
 from kpi.models import Asset
-from kpi.utils.mailer import EmailMessage, Mailer
 from .transfer import TransferListSerializer
 from ..models import (
     Invite,
     InviteStatusChoices,
     Transfer,
     TransferStatus,
-    TransferStatusChoices,
     TransferStatusTypeChoices,
 )
+from ..utils import create_invite, update_invite
 
 
 class InviteSerializer(serializers.ModelSerializer):
@@ -59,36 +55,12 @@ class Meta:
     def create(self, validated_data: dict) -> Invite:
         request = self.context['request']
 
-        with transaction.atomic():
-            instance = Invite.objects.create(
-                sender=request.user,
-                recipient=validated_data['recipient']
-            )
-            transfers = Transfer.objects.bulk_create(
-                [
-                    Transfer(invite=instance, asset=asset)
-                    for asset in validated_data['assets']
-                ]
-            )
-            statuses = []
-            for transfer in transfers:
-                for status_type in TransferStatusTypeChoices.values:
-                    statuses.append(
-                        TransferStatus(
-                            transfer=transfer,
-                            status_type=status_type,
-                        )
-                    )
-            TransferStatus.objects.bulk_create(statuses)
-
-        if config.PROJECT_OWNERSHIP_AUTO_ACCEPT_INVITES:
-            instance = self.update(
-                instance, {'status': InviteStatusChoices.ACCEPTED}
-            )
-        else:
-            self._send_invite_email(instance)
-
-        return instance
+        return create_invite(
+            sender=request.user,
+            recipient=validated_data['recipient'],
+            assets=validated_data['assets'],
+            invite_class_name='Invite',
+        )
 
     def get_transfers(self, invite: Invite) -> list:
         transfers = (
@@ -220,108 +192,4 @@ def validate_status(self, status: str) -> str:
     def update(self, instance: Invite, validated_data: dict) -> Invite:
 
         status = validated_data['status']
-
-        # Keep `status` value to email condition below
-        instance.status = (
-            InviteStatusChoices.IN_PROGRESS
-            if status == InviteStatusChoices.ACCEPTED
-            else status
-        )
-        instance.save(update_fields=['status', 'date_modified'])
-
-        for transfer in instance.transfers.all():
-            if instance.status != InviteStatusChoices.IN_PROGRESS:
-                transfer.statuses.update(
-                    status=TransferStatusChoices.CANCELLED
-                )
-            else:
-                transfer.transfer_project()
-
-        if not config.PROJECT_OWNERSHIP_AUTO_ACCEPT_INVITES:
-            if status == InviteStatusChoices.DECLINED:
-                self._send_refusal_email(instance)
-            elif status == InviteStatusChoices.ACCEPTED:
-                self._send_acceptance_email(instance)
-
-        return instance
-
-    def _send_acceptance_email(self, invite: Invite):
-
-        template_variables = {
-            'username': invite.sender.username,
-            'recipient': invite.recipient.username,
-            'transfers': [
-                {
-                    'asset_uid': transfer.asset.uid,
-                    'asset_name': transfer.asset.name,
-                }
-                for transfer in invite.transfers.all()
-            ],
-            'base_url': settings.KOBOFORM_URL,
-        }
-
-        email_message = EmailMessage(
-            to=invite.sender.email,
-            subject=t('KoboToolbox project ownership transfer accepted'),
-            plain_text_content_or_template='emails/accepted_invite.txt',
-            template_variables=template_variables,
-            html_content_or_template='emails/accepted_invite.html',
-            language=invite.recipient.extra_details.data.get('last_ui_language')
-        )
-
-        Mailer.send(email_message)
-
-    def _send_invite_email(self, invite: Invite):
-
-        template_variables = {
-            'username': invite.recipient.username,
-            'sender_username': invite.sender.username,
-            'sender_email': invite.sender.email,
-            'transfers': [
-                {
-                    'asset_uid': transfer.asset.uid,
-                    'asset_name': transfer.asset.name,
-                }
-                for transfer in invite.transfers.all()
-            ],
-            'base_url': settings.KOBOFORM_URL,
-            'invite_expiry': config.PROJECT_OWNERSHIP_INVITE_EXPIRY,
-            'invite_uid': invite.uid,
-        }
-
-        email_message = EmailMessage(
-            to=invite.recipient.email,
-            subject=t('Action required: KoboToolbox project ownership transfer request'),
-            plain_text_content_or_template='emails/new_invite.txt',
-            template_variables=template_variables,
-            html_content_or_template='emails/new_invite.html',
-            language=invite.recipient.extra_details.data.get('last_ui_language')
-        )
-
-        Mailer.send(email_message)
-
-    def _send_refusal_email(self, invite: Invite):
-
-        template_variables = {
-            'username': invite.sender.username,
-            'recipient': invite.recipient.username,
-            'transfers': [
-                {
-                    'asset_uid': transfer.asset.uid,
-                    'asset_name': transfer.asset.name,
-                }
-                for transfer in invite.transfers.all()
-            ],
-            'base_url': settings.KOBOFORM_URL,
-        }
-
-        email_message = EmailMessage(
-            to=invite.sender.email,
-            subject=t('KoboToolbox project ownership transfer incomplete'),
-            plain_text_content_or_template='emails/declined_invite.txt',
-            template_variables=template_variables,
-            html_content_or_template='emails/declined_invite.html',
-            language=invite.recipient.extra_details.data.get('last_ui_language')
-        )
-
-        Mailer.send(email_message)
+        return update_invite(invite=instance, status=status)
diff --git a/kobo/apps/project_ownership/utils.py b/kobo/apps/project_ownership/utils.py
index 253dd97fd0..dd4f1bcd7d 100644
--- a/kobo/apps/project_ownership/utils.py
+++ b/kobo/apps/project_ownership/utils.py
@@ -1,19 +1,62 @@
 import os
 import time
-from typing import Optional
+from typing import Literal, Optional, Union
 
+from django.db import transaction
 from django.apps import apps
 from django.utils import timezone
 
 
 from kobo.apps.openrosa.apps.main.models import MetaData
 from kobo.apps.openrosa.apps.logger.models.attachment import Attachment
-from kpi.models.asset import AssetFile
+from kobo.apps.project_ownership.models import InviteStatusChoices
+from kpi.models.asset import Asset, AssetFile
 from .exceptions import AsyncTaskException
 from .constants import ASYNC_TASK_HEARTBEAT, FILE_MOVE_CHUNK_SIZE
 from .models.choices import TransferStatusChoices, TransferStatusTypeChoices
 
 
+def create_invite(
+    sender: 'User',
+    recipient: 'User',
+    assets: list[Asset],
+    invite_class_name: str = Literal['Invite', 'OrgMembershipAutoInvite'],
+) -> Union['Invite', 'OrgMembershipAutoInvite']:
+
+    InviteModel = apps.get_model('project_ownership', invite_class_name)
+    Transfer = apps.get_model('project_ownership', 'Transfer')
+    TransferStatus = apps.get_model('project_ownership', 'TransferStatus')
+
+    with transaction.atomic():
+        invite = InviteModel.objects.create(
+            sender=sender,
+            recipient=recipient
+        )
+        transfers = Transfer.objects.bulk_create(
+            [
+                Transfer(invite=invite, asset=asset)
+                for asset in assets
+            ]
+        )
+        statuses = []
+        for transfer in transfers:
+            for status_type in TransferStatusTypeChoices.values:
+                statuses.append(
+                    TransferStatus(
+                        transfer=transfer,
+                        status_type=status_type,
+                    )
+                )
+        TransferStatus.objects.bulk_create(statuses)
+
+    if invite.auto_accept_invites:
+        update_invite(invite, status=InviteStatusChoices.ACCEPTED)
+    else:
+        invite.send_invite_email()
+
+    return invite
+
+
 def get_target_folder(
     previous_owner_username: str, new_owner_username: str, filename: str
 ) -> Optional[str]:
@@ -186,6 +229,36 @@ def rewrite_mongo_userform_id(transfer: 'project_ownership.Transfer'):
     )
 
 
+def update_invite(
+    invite: Union['Invite', 'OrgMembershipAutoInvite'],
+    status: str,
+) -> Union['Invite', 'OrgMembershipAutoInvite']:
+
+    # Keep `status` value to email condition below
+    invite.status = (
+        InviteStatusChoices.IN_PROGRESS
+        if status == InviteStatusChoices.ACCEPTED
+        else status
+    )
+    invite.save(update_fields=['status', 'date_modified'])
+
+    for transfer in invite.transfers.all():
+        if invite.status != InviteStatusChoices.IN_PROGRESS:
+            transfer.statuses.update(
+                status=TransferStatusChoices.CANCELLED
+            )
+        else:
+            transfer.transfer_project()
+
+    if not invite.auto_accept_invites:
+        if status == InviteStatusChoices.DECLINED:
+            invite.send_refusal_email()
+        elif status == InviteStatusChoices.ACCEPTED:
+            invite.send_acceptance_email()
+
+    return invite
+
+
 def _mark_task_as_successful(
     transfer: 'project_ownership.Transfer', async_task_type: str
 ):
diff --git a/kobo/settings/base.py b/kobo/settings/base.py
index 0e632527bc..648c6e1b09 100644
--- a/kobo/settings/base.py
+++ b/kobo/settings/base.py
@@ -1583,6 +1583,7 @@ def dj_stripe_request_callback_method():
 MONGO_QUERY_TIMEOUT = SYNCHRONOUS_REQUEST_TIME_LIMIT + 5  # seconds
 MONGO_CELERY_QUERY_TIMEOUT = CELERY_TASK_TIME_LIMIT + 10  # seconds
 
+
 SESSION_ENGINE = 'redis_sessions.session'
 # django-redis-session expects a dictionary with `url`
 redis_session_url = env.cache_url(
@@ -1799,3 +1800,5 @@ def dj_stripe_request_callback_method():
 # in the ObjectPermission table), but the code will still conduct the permission
 # checks as if they were.
 ADMIN_ORG_INHERITED_PERMS = [PERM_DELETE_ASSET, PERM_MANAGE_ASSET]
+
+USER_ASSET_ORG_TRANSFER_BATCH_SIZE = 20

From c47f297c1c1b86d2d691e294da15733e5d331205 Mon Sep 17 00:00:00 2001
From: Rebecca Graber <becca.graber@kobotoolbox.org>
Date: Wed, 13 Nov 2024 15:19:41 -0500
Subject: [PATCH 4/8] feat(projectHistoryLog): log exports TASK-944 (#5241)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### 📣 Summary
Record project history logs for when users export an asset.


### 👀 Preview steps

Bug template:
1. ℹ️ Log in as a super user. Create and deploy a project
2. Add at least 1 submission to the project
3. Go to Data > Downloads and hit Export. Note: the export may get stuck
in processing. This is due to an unrelated bug
(https://www.notion.so/kobotoolbox/Exports-fail-with-ExportTask-matching-query-does-not-exist-1377e515f65480328422e0c8fcfed1c0)
but doesn't affect this work since we want to log every attempt to
export, not just successful ones
5. 🟢 Go to `api/v2/audit-logs/?q=metadata__asset_uid:<asset_uid> AND
log_type='project-history'`
6. There should be a new PH log with action=`export` (usual metadata)


### 💭 Notes
Uses the AuditLoggedViewSet and `create_from_related_request` flows
(similar to asset files, paired data, etc.)
---
 kobo/apps/audit_log/audit_actions.py          |  1 +
 kobo/apps/audit_log/base_views.py             |  2 +-
 kobo/apps/audit_log/models.py                 | 35 ++++++++++--
 .../tests/test_project_history_logs.py        | 55 +++++++++++++++++++
 kpi/models/import_export_task.py              | 18 +++---
 kpi/views/v1/export_task.py                   |  6 +-
 kpi/views/v2/export_task.py                   |  6 +-
 7 files changed, 107 insertions(+), 16 deletions(-)

diff --git a/kobo/apps/audit_log/audit_actions.py b/kobo/apps/audit_log/audit_actions.py
index a85b3ef563..d8a29c4c33 100644
--- a/kobo/apps/audit_log/audit_actions.py
+++ b/kobo/apps/audit_log/audit_actions.py
@@ -14,6 +14,7 @@ class AuditAction(models.TextChoices):
     DISABLE_SHARING = 'disable-sharing'
     DISCONNECT_PROJECT = 'disconnect-project'
     ENABLE_SHARING = 'enable-sharing'
+    EXPORT = 'export'
     IN_TRASH = 'in-trash'
     MODIFY_IMPORTED_FIELDS = 'modify-imported-fields'
     MODIFY_SERVICE = 'modify-service'
diff --git a/kobo/apps/audit_log/base_views.py b/kobo/apps/audit_log/base_views.py
index 1632772768..f697f267ca 100644
--- a/kobo/apps/audit_log/base_views.py
+++ b/kobo/apps/audit_log/base_views.py
@@ -83,8 +83,8 @@ def perform_destroy(self, instance):
             field_label = field[0] if isinstance(field, tuple) else field
             value = get_nested_field(instance, field_path)
             audit_log_data[field_label] = value
-        self.request._request.initial_data = audit_log_data
         self.perform_destroy_override(instance)
+        self.request._request.initial_data = audit_log_data
 
     def perform_destroy_override(self, instance):
         super().perform_destroy(instance)
diff --git a/kobo/apps/audit_log/models.py b/kobo/apps/audit_log/models.py
index 2bc70292cb..1778aaaa59 100644
--- a/kobo/apps/audit_log/models.py
+++ b/kobo/apps/audit_log/models.py
@@ -333,6 +333,8 @@ def create_from_request(cls, request):
             'paired-data-list': cls.create_from_paired_data_request,
             'asset-file-detail': cls.create_from_file_request,
             'asset-file-list': cls.create_from_file_request,
+            'asset-export-list': cls.create_from_export_request,
+            'exporttask-list': cls.create_from_v1_export,
         }
         url_name = request.resolver_match.url_name
         method = url_name_to_action.get(url_name, None)
@@ -491,6 +493,10 @@ def create_from_paired_data_request(cls, request):
             AuditAction.MODIFY_IMPORTED_FIELDS,
         )
 
+    @classmethod
+    def create_from_export_request(cls, request):
+        cls.create_from_related_request(request, None, AuditAction.EXPORT, None, None)
+
     @staticmethod
     def sharing_change(old_fields, new_fields):
         old_enabled = old_fields.get('enabled', False)
@@ -550,17 +556,21 @@ def create_from_related_request(
             'log_subtype': PROJECT_HISTORY_LOG_PROJECT_SUBTYPE,
             'ip_address': get_client_ip(request),
             'source': get_human_readable_client_user_agent(request),
-            label: source_data,
         }
+        if label:
+            metadata.update({label: source_data})
         if updated_data is None:
             action = delete_action
         elif initial_data is None:
             action = add_action
         else:
             action = modify_action
-        ProjectHistoryLog.objects.create(
-            user=request.user, object_id=object_id, action=action, metadata=metadata
-        )
+        if action:
+            # some actions on related objects do not need to be logged,
+            # eg deleting an ExportTask
+            ProjectHistoryLog.objects.create(
+                user=request.user, object_id=object_id, action=action, metadata=metadata
+            )
 
     @classmethod
     def create_from_import_task(cls, task: ImportTask):
@@ -598,3 +608,20 @@ def create_from_import_task(cls, task: ImportTask):
                     action=AuditAction.UPDATE_NAME,
                     metadata=metadata,
                 )
+
+    @classmethod
+    def create_from_v1_export(cls, request):
+        updated_data = getattr(request, 'updated_data', None)
+        if not updated_data:
+            return
+        ProjectHistoryLog.objects.create(
+            user=request.user,
+            object_id=updated_data['asset_id'],
+            action=AuditAction.EXPORT,
+            metadata={
+                'asset_uid': updated_data['asset_uid'],
+                'log_subtype': PROJECT_HISTORY_LOG_PROJECT_SUBTYPE,
+                'ip_address': get_client_ip(request),
+                'source': get_human_readable_client_user_agent(request),
+            },
+        )
diff --git a/kobo/apps/audit_log/tests/test_project_history_logs.py b/kobo/apps/audit_log/tests/test_project_history_logs.py
index e386bc4733..693a072eef 100644
--- a/kobo/apps/audit_log/tests/test_project_history_logs.py
+++ b/kobo/apps/audit_log/tests/test_project_history_logs.py
@@ -807,3 +807,58 @@ def test_create_from_import_task(self, file_or_url, change_name, use_v2):
                     NEW: new_asset.name,
                 },
             )
+
+    def test_export_creates_log(self):
+        self.asset.deploy(backend='mock', active=True)
+        request_data = {
+            'fields_from_all_versions': True,
+            'fields': [],
+            'group_sep': '/',
+            'hierarchy_in_labels': False,
+            'lang': '_default',
+            'multiple_select': 'both',
+            'type': 'xls',
+            'xls_types_as_text': False,
+            'include_media_url': True,
+        }
+        self._base_project_history_log_test(
+            method=self.client.post,
+            url=reverse(
+                'api_v2:asset-export-list',
+                kwargs={
+                    'parent_lookup_asset': self.asset.uid,
+                },
+            ),
+            expected_action=AuditAction.EXPORT,
+            request_data=request_data,
+            expected_subtype=PROJECT_HISTORY_LOG_PROJECT_SUBTYPE,
+        )
+
+    def test_export_v1_creates_log(self):
+        self.asset.deploy(backend='mock', active=True)
+        request_data = {
+            'fields_from_all_versions': True,
+            'fields': [],
+            'group_sep': '/',
+            'hierarchy_in_labels': False,
+            'lang': '_default',
+            'multiple_select': 'both',
+            'type': 'xls',
+            'xls_types_as_text': False,
+            'include_media_url': True,
+            'source': reverse('api_v2:asset-detail', kwargs={'uid': self.asset.uid}),
+        }
+        # can't use _base_project_history_log_test because
+        # the old endpoint doesn't like format=json
+        self.client.post(
+            path=reverse('exporttask-list'),
+            data=request_data,
+        )
+
+        log_query = ProjectHistoryLog.objects.filter(
+            metadata__asset_uid=self.asset.uid, action=AuditAction.EXPORT
+        )
+        self.assertEqual(log_query.count(), 1)
+        log = log_query.first()
+        self._check_common_metadata(log.metadata, PROJECT_HISTORY_LOG_PROJECT_SUBTYPE)
+        self.assertEqual(log.object_id, self.asset.id)
diff --git a/kpi/models/import_export_task.py b/kpi/models/import_export_task.py
index 532586b5dd..6c901fa1b4 100644
--- a/kpi/models/import_export_task.py
+++ b/kpi/models/import_export_task.py
@@ -816,6 +816,16 @@ def _run_task(self, messages):
         else:
             self.save(update_fields=['result', 'last_submission_time'])
 
+    @property
+    def asset(self):
+        source_url = self.data.get('source', False)
+        if not source_url:
+            raise Exception('no source specified for the export')
+        try:
+            return resolve_url_to_asset(source_url)
+        except Asset.DoesNotExist:
+            raise self.InaccessibleData
+
     def delete(self, *args, **kwargs):
         # removing exported file from storage
         self.result.delete(save=False)
@@ -833,13 +843,7 @@ def get_export_object(
         submission_ids = self.data.get('submission_ids', [])
 
         if source is None:
-            source_url = self.data.get('source', False)
-            if not source_url:
-                raise Exception('no source specified for the export')
-            try:
-                source = resolve_url_to_asset(source_url)
-            except Asset.DoesNotExist:
-                raise self.InaccessibleData
+            source = self.asset
 
         source_perms = source.get_perms(self.user)
         if (
diff --git a/kpi/views/v1/export_task.py b/kpi/views/v1/export_task.py
index 95c2d261bc..42ed479b81 100644
--- a/kpi/views/v1/export_task.py
+++ b/kpi/views/v1/export_task.py
@@ -5,14 +5,14 @@
 from rest_framework.response import Response
 from rest_framework.reverse import reverse
 
+from kobo.apps.audit_log.base_views import AuditLoggedNoUpdateModelViewSet
 from kpi.models import Asset, ExportTask
 from kpi.serializers import ExportTaskSerializer
 from kpi.tasks import export_in_background
 from kpi.utils.models import remove_string_prefix, resolve_url_to_asset
-from kpi.views.no_update_model import NoUpdateModelViewSet
 
 
-class ExportTaskViewSet(NoUpdateModelViewSet):
+class ExportTaskViewSet(AuditLoggedNoUpdateModelViewSet):
     """
     ## This document is for a deprecated version of kpi's API.
 
@@ -133,6 +133,7 @@ class ExportTaskViewSet(NoUpdateModelViewSet):
     queryset = ExportTask.objects.all()
     serializer_class = ExportTaskSerializer
     lookup_field = 'uid'
+    log_type = 'project-history'
 
     def get_queryset(self, *args, **kwargs):
         if self.request.user.is_anonymous:
@@ -198,6 +199,7 @@ def create(self, request, *args, **kwargs):
         except Asset.DoesNotExist:
             raise serializers.ValidationError(
                 {'source': 'The specified asset does not exist.'})
+        request._request.updated_data = {'asset_id': source.id, 'asset_uid': source.uid}
         # Complain if it's not deployed
         if not source.has_deployment:
             raise serializers.ValidationError(
diff --git a/kpi/views/v2/export_task.py b/kpi/views/v2/export_task.py
index 281ab24a2e..32f9ca8623 100644
--- a/kpi/views/v2/export_task.py
+++ b/kpi/views/v2/export_task.py
@@ -5,17 +5,17 @@
 )
 from rest_framework_extensions.mixins import NestedViewSetMixin
 
+from kobo.apps.audit_log.base_views import AuditLoggedNoUpdateModelViewSet
 from kpi.filters import SearchFilter
 from kpi.models import ExportTask
 from kpi.permissions import ExportTaskPermission
 from kpi.serializers.v2.export_task import ExportTaskSerializer
 from kpi.utils.object_permission import get_database_user
 from kpi.utils.viewset_mixins import AssetNestedObjectViewsetMixin
-from kpi.views.no_update_model import NoUpdateModelViewSet
 
 
 class ExportTaskViewSet(
-    AssetNestedObjectViewsetMixin, NestedViewSetMixin, NoUpdateModelViewSet
+    AssetNestedObjectViewsetMixin, NestedViewSetMixin, AuditLoggedNoUpdateModelViewSet
 ):
     """
     ## List of export tasks endpoints
@@ -159,6 +159,8 @@ class ExportTaskViewSet(
     search_default_field_lookups = [
         'uid__icontains',
     ]
+    log_type = 'project-history'
+    logged_fields = [('object_id', 'asset.id')]
 
     def get_queryset(self):
         user = get_database_user(self.request.user)

From cd3d2000df10bf8a6b81351987ed111028519f72 Mon Sep 17 00:00:00 2001
From: James Kiger <68701146+jamesrkiger@users.noreply.github.com>
Date: Thu, 14 Nov 2024 10:16:49 -0500
Subject: [PATCH 5/8] feat(billing): merge NLP addons feature into main
 TASK-1255 (#5265)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

### 📣 Summary
Adds billing and tracking support for one-time addons.


### 💭 Notes
This PR is for merging the `billing-addons-backend` feature branch into
`main`. All substantive changes have already been reviewed and tested,
though further testing will be conducted on the beta server once the
merge is completed. The frontend feature has been placed behind a
feature flag, and so will require the param
`?ff_oneTimeAddonsEnabled=true`.

---------

Co-authored-by: Jessica Thomas <jessica.thomas@kobotoolbox.org>
Co-authored-by: RuthShryock <ruthieshryock@gmail.com>
Co-authored-by: Guillermo <lgar89@gmail.com>
Co-authored-by: RuthShryock <81720958+RuthShryock@users.noreply.github.com>
Co-authored-by: Olivier Léger <olivierleger@gmail.com>
---
 hub/admin/extend_user.py                      |  15 +-
 jsapp/js/account/accountSidebar.tsx           |  18 +-
 .../account/add-ons/addOnList.component.tsx   | 323 ++++++++++--------
 .../js/account/add-ons/addOnList.module.scss  | 117 ++++++-
 .../add-ons/oneTimeAddOnRow.component.tsx     | 205 +++++++++++
 .../add-ons/updateBadge.component..tsx        |  62 ++++
 .../billingContextProvider.component.tsx      |   7 +-
 .../account/plans/billingButton.module.scss   |   1 +
 .../account/plans/planContainer.component.tsx |   8 +-
 .../js/account/plans/useDisplayPrice.hook.tsx |   6 +
 jsapp/js/account/stripe.api.ts                |  73 +++-
 jsapp/js/account/stripe.types.ts              |  34 +-
 jsapp/js/account/stripe.utils.ts              |  52 ++-
 .../oneTimeAddOnList.component.tsx            |  69 ++++
 .../oneTimeAddOnList.module.scss              |  21 ++
 .../oneTimeAddOnUsageModal.component.tsx      | 105 ++++++
 .../oneTimeAddOnUsageModal.module.scss        |  57 ++++
 jsapp/js/account/usage/usage.component.tsx    | 151 ++++++--
 jsapp/js/account/usage/usageContainer.tsx     | 178 +++++-----
 jsapp/js/account/useOneTimeAddonList.hook.ts  |  37 ++
 jsapp/js/api.endpoints.ts                     |   1 +
 jsapp/js/components/modals/koboModal.scss     |   1 -
 .../special/koboAccessibleSelect.module.scss  |  16 +-
 .../special/koboAccessibleSelect.tsx          | 105 ++++--
 .../usageLimits/useExceedingLimits.hook.ts    |  30 +-
 jsapp/js/featureFlags.ts                      |   3 +-
 kobo/apps/audit_log/signals.py                |   1 +
 kobo/apps/hook/tests/hook_test_case.py        |   1 +
 kobo/apps/hook/utils/tests/mixins.py          |  25 +-
 kobo/apps/kobo_auth/models.py                 |  10 +-
 .../viewsets/test_xform_submission_api.py     |   6 +-
 .../apps/api/viewsets/xform_submission_api.py |   1 +
 .../commands/populate_submission_counters.py  |  21 +-
 .../update_attachment_storage_bytes.py        |  19 +-
 ..._populate_daily_xform_counters_for_year.py |  34 +-
 .../0030_backfill_lost_monthly_counters.py    |  68 ----
 .../0031_remove_null_user_daily_counters.py   |  10 -
 ...032_alter_daily_submission_counter_user.py |   2 +-
 .../migrations/0039_populate_counters.py      | 120 +++++++
 .../openrosa/apps/logger/models/instance.py   |   7 +-
 .../apps/openrosa/apps/logger/models/xform.py |  12 +-
 .../0017_userprofile_submissions_suspended.py |  18 +
 .../openrosa/apps/main/models/user_profile.py |   1 +
 kobo/apps/openrosa/apps/main/urls.py          | 257 ++++++++------
 kobo/apps/openrosa/libs/filters.py            |   3 +-
 kobo/apps/openrosa/libs/utils/logger_tools.py |   2 +-
 kobo/apps/organizations/admin/__init__.py     |   2 +-
 kobo/apps/organizations/admin/organization.py |  13 +-
 .../admin/organization_invite.py              |   1 +
 .../organizations/admin/organization_user.py  |   9 +-
 kobo/apps/organizations/forms.py              |   1 +
 .../0006_update_organization_name.py          |   2 +-
 kobo/apps/organizations/models.py             |  97 ++++--
 kobo/apps/organizations/permissions.py        |   5 +-
 kobo/apps/organizations/serializers.py        |   3 +-
 kobo/apps/organizations/tasks.py              |   2 +-
 .../organizations/tests/test_organizations.py |   2 +-
 .../tests/test_organizations_api.py           |  59 ++--
 .../tests/test_organizations_model.py         |  22 ++
 kobo/apps/organizations/types.py              |   3 +
 kobo/apps/organizations/utils.py              |  11 +-
 kobo/apps/organizations/views.py              |  28 +-
 kobo/apps/project_ownership/models/invite.py  |  13 +-
 .../apps/project_ownership/models/transfer.py |   5 +-
 .../project_ownership/serializers/invite.py   |   3 +-
 .../tests/api/v2/test_api.py                  |   4 +
 kobo/apps/project_ownership/utils.py          |  22 +-
 kobo/apps/stripe/admin.py                     |  59 ++++
 kobo/apps/stripe/constants.py                 |  11 +
 kobo/apps/stripe/migrations/0001_initial.py   | 102 ++++++
 kobo/apps/stripe/migrations/__init__.py       |   0
 kobo/apps/stripe/models.py                    | 254 ++++++++++++++
 kobo/apps/stripe/serializers.py               |  21 +-
 .../templates/admin/add-ons/change_list.html  |   8 +
 .../stripe/tests/test_customer_portal_api.py  |  11 +-
 .../stripe/tests/test_one_time_addons_api.py  | 188 ++++++++--
 .../stripe/tests/test_organization_usage.py   |  51 +++
 kobo/apps/stripe/utils.py                     |  90 ++++-
 kobo/apps/stripe/views.py                     |  62 ++--
 .../integrations/google/google_transcribe.py  |   2 +
 .../tests/test_submission_extras_api_post.py  |  15 +-
 kobo/apps/trackers/tests/test_utils.py        | 121 +++++++
 kobo/apps/trackers/utils.py                   |  69 +++-
 kobo/settings/base.py                         |   3 +-
 kpi/backends.py                               |   2 +-
 kpi/db_routers.py                             |   5 +-
 kpi/deployment_backends/openrosa_backend.py   |  20 +-
 kpi/filters.py                                |  19 +-
 kpi/mixins/object_permission.py               |  12 +-
 kpi/permissions.py                            |   8 +-
 kpi/serializers/v2/asset.py                   |   1 +
 kpi/serializers/v2/service_usage.py           |   4 +
 .../test_api_asset_permission_assignment.py   |   4 +-
 kpi/tests/api/v2/test_api_assets.py           |   2 +-
 kpi/tests/api/v2/test_api_collections.py      |  60 ++--
 kpi/tests/api/v2/test_api_permissions.py      |  17 +-
 kpi/tests/api/v2/test_api_service_usage.py    |   8 +-
 kpi/tests/api/v2/test_api_submissions.py      |   3 +-
 kpi/tests/base_test_case.py                   |   5 +-
 kpi/tests/kpi_test_case.py                    |   4 +-
 kpi/tests/test_cache_utils.py                 |  55 +++
 kpi/tests/test_permissions.py                 |   6 +-
 kpi/tests/test_usage_calculator.py            |  40 ++-
 kpi/tests/utils/mixins.py                     |  32 +-
 kpi/utils/cache.py                            | 106 +++++-
 kpi/utils/django_orm_helper.py                |  32 +-
 kpi/utils/usage_calculator.py                 |  66 +++-
 kpi/views/v2/asset.py                         |   4 +-
 kpi/views/v2/asset_snapshot.py                |  15 +-
 109 files changed, 3235 insertions(+), 982 deletions(-)
 create mode 100644 jsapp/js/account/add-ons/oneTimeAddOnRow.component.tsx
 create mode 100644 jsapp/js/account/add-ons/updateBadge.component..tsx
 create mode 100644 jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.component.tsx
 create mode 100644 jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.module.scss
 create mode 100644 jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.component.tsx
 create mode 100644 jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.module.scss
 create mode 100644 jsapp/js/account/useOneTimeAddonList.hook.ts
 create mode 100644 kobo/apps/openrosa/apps/logger/migrations/0039_populate_counters.py
 create mode 100644 kobo/apps/openrosa/apps/main/migrations/0017_userprofile_submissions_suspended.py
 create mode 100644 kobo/apps/organizations/tests/test_organizations_model.py
 create mode 100644 kobo/apps/organizations/types.py
 create mode 100644 kobo/apps/stripe/admin.py
 create mode 100644 kobo/apps/stripe/migrations/0001_initial.py
 create mode 100644 kobo/apps/stripe/migrations/__init__.py
 create mode 100644 kobo/apps/stripe/models.py
 create mode 100644 kobo/apps/stripe/templates/admin/add-ons/change_list.html
 create mode 100644 kobo/apps/trackers/tests/test_utils.py
 create mode 100644 kpi/tests/test_cache_utils.py

diff --git a/hub/admin/extend_user.py b/hub/admin/extend_user.py
index e18e80493f..b962f2a1ad 100644
--- a/hub/admin/extend_user.py
+++ b/hub/admin/extend_user.py
@@ -25,6 +25,7 @@
 from kobo.apps.trash_bin.models.account import AccountTrash
 from kobo.apps.trash_bin.utils import move_to_trash
 from kpi.models.asset import AssetDeploymentStatus
+
 from .filters import UserAdvancedSearchFilter
 from .mixins import AdvancedSearchMixin
 
@@ -167,9 +168,7 @@ class ExtendedUserAdmin(AdvancedSearchMixin, UserAdmin):
     actions = ['remove', 'delete']
 
     class Media:
-        css = {
-            'all': ('admin/css/inline_as_fieldset.css',)
-        }
+        css = {'all': ('admin/css/inline_as_fieldset.css',)}
 
     @admin.action(description='Remove selected users (delete everything but their username)')
     def remove(self, request, queryset, **kwargs):
@@ -293,9 +292,13 @@ def _filter_queryset_for_organization_user(self, queryset):
         """
         Displays only users whose organization has a single member.
         """
-        return queryset.annotate(
-            user_count=Count('organizations_organization__organization_users')
-        ).filter(user_count__lte=1).order_by('username')
+        return (
+            queryset.annotate(
+                user_count=Count('organizations_organization__organization_users')
+            )
+            .filter(user_count__lte=1)
+            .order_by('username')
+        )
 
     def _remove_or_delete(
         self,
diff --git a/jsapp/js/account/accountSidebar.tsx b/jsapp/js/account/accountSidebar.tsx
index a8ef94ca45..41aa3a54ba 100644
--- a/jsapp/js/account/accountSidebar.tsx
+++ b/jsapp/js/account/accountSidebar.tsx
@@ -48,10 +48,6 @@ function AccountSidebar() {
     setShowPlans(true);
   }, [subscriptionStore.isInitialised]);
 
-  const showAddOnsLink = useMemo(() => {
-    return !subscriptionStore.planResponse.length;
-  }, [subscriptionStore.isInitialised]);
-
   return (
     <nav className={styles.accountSidebar}>
       <AccountNavLink
@@ -78,14 +74,12 @@ function AccountSidebar() {
                 name={t('Plans')}
                 to={ACCOUNT_ROUTES.PLAN}
               />
-              {showAddOnsLink && (
-                <AccountNavLink
-                  iconName='plus'
-                  name={t('Add-ons')}
-                  to={ACCOUNT_ROUTES.ADD_ONS}
-                  isNew
-                />
-              )}
+              <AccountNavLink
+                iconName='plus'
+                name={t('Add-ons')}
+                to={ACCOUNT_ROUTES.ADD_ONS}
+                isNew
+              />
             </>
           )}
         </>
diff --git a/jsapp/js/account/add-ons/addOnList.component.tsx b/jsapp/js/account/add-ons/addOnList.component.tsx
index 52401086db..3d119060b2 100644
--- a/jsapp/js/account/add-ons/addOnList.component.tsx
+++ b/jsapp/js/account/add-ons/addOnList.component.tsx
@@ -1,29 +1,24 @@
-import React, {useCallback, useEffect, useMemo, useState} from 'react';
+import React, {useContext, useEffect, useState} from 'react';
 import useWhen from 'js/hooks/useWhen.hook';
 import subscriptionStore from 'js/account/subscriptionStore';
-import {
+import type {
   Price,
   Organization,
   Product,
-  SubscriptionChangeType,
   SubscriptionInfo,
+  OneTimeAddOn,
 } from 'js/account/stripe.types';
-import {
-  getSubscriptionChangeDetails,
-  isAddonProduct,
-  isChangeScheduled,
-  isRecurringAddonProduct,
-  processCheckoutResponse,
-} from 'js/account/stripe.utils';
-import {formatDate} from 'js/utils';
-import {postCustomerPortal} from 'js/account/stripe.api';
+import {isAddonProduct} from 'js/account/stripe.utils';
 import styles from './addOnList.module.scss';
-import BillingButton from 'js/account/plans/billingButton.component';
-import Badge, {BadgeColor} from 'js/components/common/badge';
+import {OneTimeAddOnRow} from 'js/account/add-ons/oneTimeAddOnRow.component';
+import type {BadgeColor} from 'jsapp/js/components/common/badge';
+import Badge from 'jsapp/js/components/common/badge';
+import {formatDate} from 'js/utils';
+import {OneTimeAddOnsContext} from 'jsapp/js/account/useOneTimeAddonList.hook';
+import {FeatureFlag, useFeatureFlag} from 'jsapp/js/featureFlags';
 
 /**
- * A table of add-on products along with buttons to purchase/manage them.
- * @TODO Until one-time add-ons are complete, this only displays recurring add-ons.
+ * A table of add-on products along with dropdowns to purchase them.
  */
 const AddOnList = (props: {
   products: Product[];
@@ -42,6 +37,17 @@ const AddOnList = (props: {
     SubscriptionInfo[]
   >([]);
   const [addOnProducts, setAddOnProducts] = useState<Product[]>([]);
+  const oneTimeAddOnsContext = useContext(OneTimeAddOnsContext);
+  const areOneTimeAddonsEnabled = useFeatureFlag(FeatureFlag.oneTimeAddonsEnabled);
+  const oneTimeAddOnSubscriptions = oneTimeAddOnsContext.oneTimeAddOns;
+  const oneTimeAddOnProducts = addOnProducts.filter(
+    (product) => product.metadata.product_type === 'addon_onetime'
+  );
+  const recurringAddOnProducts = addOnProducts.filter(
+    (product) => product.metadata.product_type === 'addon'
+  );
+  const showRecurringAddons = !subscribedPlans.length && !!recurringAddOnProducts.length;
+  const showOneTimeAddons = areOneTimeAddonsEnabled && !!oneTimeAddOnProducts.length;
 
   /**
    * Extract the add-on products and prices from the list of all products
@@ -51,9 +57,7 @@ const AddOnList = (props: {
       return;
     }
     const addonProducts = props.products
-      .filter(isAddonProduct)
-      // TODO: remove the next line when one-time add-ons are ready
-      .filter(isRecurringAddonProduct)
+      .filter((product) => isAddonProduct(product))
       .map((product) => {
         return {
           ...product,
@@ -63,18 +67,6 @@ const AddOnList = (props: {
     setAddOnProducts(addonProducts);
   }, [props.products]);
 
-  const currentAddon = useMemo(() => {
-    if (subscriptionStore.addOnsResponse.length) {
-      return subscriptionStore.addOnsResponse[0];
-    } else {
-      return null;
-    }
-  }, [subscriptionStore.isInitialised]);
-
-  const subscriptionUpdate = useMemo(() => {
-    return getSubscriptionChangeDetails(currentAddon, props.products);
-  }, [currentAddon, props.products]);
-
   useWhen(
     () => subscriptionStore.isInitialised,
     () => {
@@ -85,127 +77,166 @@ const AddOnList = (props: {
     []
   );
 
-  const isSubscribedAddOnPrice = useCallback(
-    (price: Price) =>
-      isChangeScheduled(price, activeSubscriptions) ||
-      subscribedAddOns.some(
-        (subscription) => subscription.items[0].price.id === price.id
-      ),
-    [subscribedAddOns]
-  );
-
-  const handleCheckoutError = () => {
-    props.setIsBusy(false);
-  };
-
-  const onClickManage = (price?: Price) => {
-    if (!props.organization || props.isBusy) {
-      return;
-    }
-    props.setIsBusy(true);
-    postCustomerPortal(props.organization.id, price?.id)
-      .then(processCheckoutResponse)
-      .catch(handleCheckoutError);
-  };
-
-  const renderUpdateBadge = (price: Price) => {
-    if (!(subscriptionUpdate && isSubscribedAddOnPrice(price))) {
-      return null;
-    }
-
-    let color: BadgeColor;
-    let label;
-    switch (subscriptionUpdate.type) {
-      case SubscriptionChangeType.CANCELLATION:
-        color = 'light-red';
-        label = t('Ends on ##cancel_date##').replace(
-          '##cancel_date##',
-          formatDate(subscriptionUpdate.date)
-        );
-        break;
-      case SubscriptionChangeType.RENEWAL:
-        color = 'light-blue';
-        label = t('Renews on ##renewal_date##').replace(
-          '##renewal_date##',
-          formatDate(subscriptionUpdate.date)
-        );
-        break;
-      case SubscriptionChangeType.PRODUCT_CHANGE:
-        if (currentAddon?.items[0].price.product.id === price.product) {
-          color = 'light-amber';
-          label = t('Ends on ##end_date##').replace(
-            '##end_date##',
-            formatDate(subscriptionUpdate.date)
-          );
-        } else {
-          color = 'light-teal';
-          label = t('Starts on ##start_date##').replace(
-            '##start_date##',
-            formatDate(subscriptionUpdate.date)
-          );
-        }
-        break;
-      default:
-        return null;
-    }
-    return <Badge size={'s'} color={color} label={label} />;
-  };
-
-  if (!addOnProducts.length || subscribedPlans.length || !props.organization) {
+  if (!addOnProducts.length || !props.organization) {
     return null;
   }
 
+  function ActivePreviousAddons(
+    addOns: SubscriptionInfo[],
+    oneTimeAddOns: OneTimeAddOn[],
+    activeStatus: string,
+    available: boolean,
+    label: string,
+    badgeLabel: string,
+    color: BadgeColor
+  ) {
+    return (
+      <table className={styles.table}>
+        <caption className={`${styles.caption} ${styles.purchasedAddOns}`}>
+          <label className={styles.header}>{label}</label>
+        </caption>
+        <tbody>
+          {addOns.map((product) => {
+            if (product.status === activeStatus) {
+              return (
+                <tr className={styles.row} key={product.id}>
+                  <td className={styles.product}>
+                    <span className={styles.productName}>
+                      {product.items[0].price.product.name}
+                    </span>
+                    <Badge color={color} size={'s'} label={badgeLabel} />
+                    <p className={styles.description}>
+                      {t('Added on ##date##').replace(
+                        '##date##',
+                        formatDate(product.created)
+                      )}
+                    </p>
+                  </td>
+                  <td className={styles.activePrice}>
+                    {product.items[0].price.human_readable_price
+                      .replace('USD/month', '')
+                      .replace('USD/year', '')}
+                  </td>
+                </tr>
+              );
+            }
+            return null;
+          })}
+          {oneTimeAddOns.map((oneTimeAddOn: OneTimeAddOn) => {
+            if (oneTimeAddOn.is_available === available) {
+              return (
+                <tr className={styles.row} key={oneTimeAddOn.id}>
+                  <td className={styles.product}>
+                    <span className={styles.productName}>
+                      {t('##name## x ##quantity##')
+                        .replace(
+                          '##name##',
+                          oneTimeAddOnProducts.find(
+                            (product) => product.id === oneTimeAddOn.product
+                          )?.name || label
+                        )
+                        .replace(
+                          '##quantity##',
+                          oneTimeAddOn.quantity.toString()
+                        )}
+                    </span>
+                    <Badge color={color} size={'s'} label={badgeLabel} />
+                    <p className={styles.addonDescription}>
+                      {t('Added on ##date##').replace(
+                        '##date##',
+                        formatDate(oneTimeAddOn.created)
+                      )}
+                    </p>
+                  </td>
+                  <td className={styles.activePrice}>
+                    {'$##price##'.replace(
+                      '##price##',
+                      (
+                        (oneTimeAddOn.quantity *
+                          (oneTimeAddOnProducts.find(
+                            (product) => product.id === oneTimeAddOn.product
+                          )?.prices[0].unit_amount || 0)) /
+                        100
+                      ).toFixed(2)
+                    )}
+                  </td>
+                </tr>
+              );
+            }
+            return null;
+          })}
+        </tbody>
+      </table>
+    );
+  }
   return (
-    <table className={styles.table}>
-      <caption className={styles.caption}>
-        <label className={styles.header}>{t('available add-ons')}</label>
-        <p>
-          {t(
-            `Add-ons can be added to your Community plan to increase your usage limits. If you are approaching or
-            have reached the usage limits included with your plan, increase your limits with add-ons to continue
-            data collection.`
+    <>
+      <table className={styles.table}>
+        <caption className={styles.caption}>
+          <label className={styles.header}>{t('available add-ons')}</label>
+          <p>
+            {t(
+              `Add-ons can be added to your Community plan to increase your usage limits. If you are approaching or
+              have reached the usage limits included with your plan, increase your limits with add-ons to continue
+              data collection.`
+            )}
+          </p>
+        </caption>
+        <tbody>
+          {showRecurringAddons && (
+            <OneTimeAddOnRow
+              key={recurringAddOnProducts.map((product) => product.id).join('-')}
+              products={recurringAddOnProducts}
+              isBusy={props.isBusy}
+              setIsBusy={props.setIsBusy}
+              subscribedAddOns={subscribedAddOns}
+              activeSubscriptions={activeSubscriptions}
+              organization={props.organization}
+            />
+          )}
+          {showOneTimeAddons && (
+            <OneTimeAddOnRow
+              key={oneTimeAddOnProducts.map((product) => product.id).join('-')}
+              products={oneTimeAddOnProducts}
+              isBusy={props.isBusy}
+              setIsBusy={props.setIsBusy}
+              subscribedAddOns={subscribedAddOns}
+              activeSubscriptions={activeSubscriptions}
+              organization={props.organization}
+            />
           )}
-        </p>
-      </caption>
-      <tbody>
-        {addOnProducts.map((product) =>
-          product.prices.map((price) => (
-            <tr key={price.id}>
-              <td>
-                <div className={styles.productAndPrice}>
-                  <div>
-                    <span className={styles.productName}>{product.name}</span>
-                    {renderUpdateBadge(price)}
-                  </div>
-                  <div className={styles.price}>{price.human_readable_price}</div>
-                </div>
-              </td>
+        </tbody>
+      </table>
+      {subscribedAddOns.some((product) => product.status === 'active') ||
+      oneTimeAddOnSubscriptions.some(
+        (oneTimeAddOns) => oneTimeAddOns.is_available
+      )
+        ? ActivePreviousAddons(
+            subscribedAddOns,
+            oneTimeAddOnSubscriptions,
+            'active',
+            true,
+            t('your active add-ons'),
+            t('Active'),
+            'light-teal'
+          )
+        : null}
 
-              <td className={styles.buy}>
-                {isSubscribedAddOnPrice(price) && (
-                  <BillingButton
-                    size={'m'}
-                    label={t('Manage')}
-                    isDisabled={props.isBusy}
-                    onClick={onClickManage}
-                    isFullWidth
-                  />
-                )}
-                {!isSubscribedAddOnPrice(price) && (
-                  <BillingButton
-                    size={'m'}
-                    label={t('Buy now')}
-                    isDisabled={props.isBusy}
-                    onClick={() => props.onClickBuy(price)}
-                    isFullWidth
-                  />
-                )}
-              </td>
-            </tr>
-          ))
-        )}
-      </tbody>
-    </table>
+      {subscribedAddOns.some((product) => product.status !== 'active') ||
+      oneTimeAddOnSubscriptions.some(
+        (oneTimeAddOns) => !oneTimeAddOns.is_available
+      )
+        ? ActivePreviousAddons(
+            subscribedAddOns,
+            oneTimeAddOnSubscriptions,
+            'inactive',
+            false,
+            t('previous add-ons'),
+            t('Inactive'),
+            'light-storm'
+          )
+        : null}
+    </>
   );
 };
 
diff --git a/jsapp/js/account/add-ons/addOnList.module.scss b/jsapp/js/account/add-ons/addOnList.module.scss
index c8dc8c9864..78a8d43303 100644
--- a/jsapp/js/account/add-ons/addOnList.module.scss
+++ b/jsapp/js/account/add-ons/addOnList.module.scss
@@ -41,15 +41,128 @@
 
 .price {
   color: colors.$kobo-gray-700;
+  display: flex;
+  width: 100%;
+  justify-content: center;
+}
+
+.oneTimePrice {
+  width: 100%;
+  text-align: center;
+  font-weight: 600;
+  font-size: 16px;
+  color: colors.$kobo-gray-700;
+  padding-right: 15px;
 }
 
 .productName {
+  display: flex;
   margin-right: 12px;
+  font-size: 16px;
+  font-weight: 600;
+}
+
+.description {
+  display: none;
+}
+
+.oneTime {
+  display: flex;
+  width: 100%;
+  justify-content: right;
+}
+
+.purchasedAddOns {
+  padding-top: 2%;
+  padding-bottom: 2%;
+}
+
+.activePrice {
+  text-align: right;
+  font-size: 16px;
+  font-weight: 600;
+}
+
+.addonDescription {
+  display: flex;
+  font-size: 14px;
+  font-weight: 400;
+}
+
+.row {
+  display: table;
+  width: 100%;
+  align-items: center;
 }
 
 .buy {
-  width: 140px;
-  padding-left: 20px;
+  width: 200px;
+}
+
+.mobileView {
+  display: flex;
+  vertical-align: center;
+  flex: 1;
+  align-items: center;
+}
+
+.fullScreen {
+  display: none;
+}
+
+@media screen and (min-width: breakpoints.$b600) {
+  .table td:nth-child(2) {
+    margin-inline-end: 10em;
+  }
+
+  .description {
+    display: flex;
+    font-size: 14px;
+    font-weight: 400;
+  }
+
+  .productName {
+    display: table-cell;
+    width: 40%;
+  }
+
+  .fullScreen,
+  .price {
+    display: table-cell;
+    width: 30%;
+  }
+
+  .mobileView {
+    display: none;
+  }
+
+  .oneTimePrice,
+  .buy {
+    display: table-cell;
+    vertical-align: middle;
+    justify-content: center;
+  }
+
+  .oneTimePrice {
+    width: 50%;
+  }
+
+  .oneTime {
+    justify-content: center;
+
+    :last-child {
+      margin-left: 8px;
+    }
+  }
+
+  .productName {
+    margin-right: 12px;
+  }
+
+  .buy {
+    width: 140px;
+    padding-left: 20px;
+  }
 }
 
 @include breakpoints.breakpoint(mediumAndUp) {
diff --git a/jsapp/js/account/add-ons/oneTimeAddOnRow.component.tsx b/jsapp/js/account/add-ons/oneTimeAddOnRow.component.tsx
new file mode 100644
index 0000000000..5afb147004
--- /dev/null
+++ b/jsapp/js/account/add-ons/oneTimeAddOnRow.component.tsx
@@ -0,0 +1,205 @@
+import styles from 'js/account/add-ons/addOnList.module.scss';
+import React, {useMemo, useState} from 'react';
+import type {
+  Organization,
+  Product,
+  SubscriptionInfo,
+} from 'js/account/stripe.types';
+import KoboSelect3 from 'js/components/special/koboAccessibleSelect';
+import BillingButton from 'js/account/plans/billingButton.component';
+import {postCheckout, postCustomerPortal} from 'js/account/stripe.api';
+import {useDisplayPrice} from 'js/account/plans/useDisplayPrice.hook';
+import {isChangeScheduled} from 'js/account/stripe.utils';
+
+interface OneTimeAddOnRowProps {
+  products: Product[];
+  isBusy: boolean;
+  setIsBusy: (value: boolean) => void;
+  activeSubscriptions: SubscriptionInfo[];
+  subscribedAddOns: SubscriptionInfo[];
+  organization: Organization;
+}
+
+const MAX_ONE_TIME_ADDON_PURCHASE_QUANTITY = 10;
+
+const quantityOptions = Array.from(
+  {length: MAX_ONE_TIME_ADDON_PURCHASE_QUANTITY},
+  (_, zeroBasedIndex) => {
+    const index = (zeroBasedIndex + 1).toString();
+    return {value: index, label: index};
+  }
+);
+
+export const OneTimeAddOnRow = ({
+  products,
+  isBusy,
+  setIsBusy,
+  activeSubscriptions,
+  subscribedAddOns,
+  organization,
+}: OneTimeAddOnRowProps) => {
+  const [selectedProduct, setSelectedProduct] = useState(products[0]);
+  const [quantity, setQuantity] = useState('1');
+  const [selectedPrice, setSelectedPrice] = useState<Product['prices'][0]>(
+    selectedProduct.prices[0]
+  );
+  const displayPrice = useDisplayPrice(selectedPrice, parseInt(quantity));
+  const priceOptions = useMemo(
+    () =>
+      selectedProduct.prices.map((price) => {
+        return {value: price.id, label: price.recurring?.interval || 'me'};
+      }),
+    [selectedProduct]
+  );
+
+  let displayName;
+  let description;
+
+  if (
+    selectedProduct.metadata.asr_seconds_limit ||
+    selectedProduct.metadata.mt_characters_limit
+  ) {
+    displayName = t('NLP Package');
+    description = t(
+      'Increase your transcription minutes and translations characters.'
+    );
+  } else if (selectedProduct.metadata.storage_bytes_limit) {
+    displayName = t('File Storage');
+    description = t(
+      'Get up to 50GB of media storage on a KoboToolbox public server.'
+    );
+  }
+
+  const isSubscribedAddOnPrice = useMemo(
+    () =>
+      isChangeScheduled(selectedPrice, activeSubscriptions) ||
+      subscribedAddOns.some(
+        (subscription) => subscription.items[0].price.id === selectedPrice.id
+      ),
+    [subscribedAddOns, selectedPrice]
+  );
+
+  const onChangeProduct = (productId: string) => {
+    const product = products.find((product) => product.id === productId);
+    if (product) {
+      setSelectedProduct(product);
+      setSelectedPrice(product.prices[0]);
+    }
+  };
+
+  const onChangePrice = (inputPrice: string | null) => {
+    if (inputPrice) {
+      const priceObject = selectedProduct.prices.find(
+        (price) => inputPrice === price.id
+      );
+      if (priceObject) {
+        setSelectedPrice(priceObject);
+      }
+    }
+  };
+
+  const onChangeQuantity = (quantity: string | null) => {
+    if (quantity) {
+      setQuantity(quantity);
+    }
+  };
+
+  // TODO: Merge functionality of onClickBuy and onClickManage so we can unduplicate
+  // the billing button in priceTableCells
+  const onClickBuy = () => {
+    if (isBusy || !selectedPrice) {
+      return;
+    }
+    setIsBusy(true);
+    if (selectedPrice) {
+      postCheckout(selectedPrice.id, organization.id, parseInt(quantity))
+        .then((response) => window.location.assign(response.url))
+        .catch(() => setIsBusy(false));
+    }
+  };
+
+  const onClickManage = () => {
+    if (isBusy || !selectedPrice) {
+      return;
+    }
+    setIsBusy(true);
+    postCustomerPortal(organization.id)
+      .then((response) => window.location.assign(response.url))
+      .catch(() => setIsBusy(false));
+  };
+
+  const priceTableCells = (
+    <>
+      <div className={styles.oneTimePrice}>
+        {selectedPrice.recurring?.interval === 'year'
+          ? selectedPrice.human_readable_price
+          : displayPrice}
+      </div>
+      <div className={styles.buy}>
+        {isSubscribedAddOnPrice && (
+          <BillingButton
+            size={'m'}
+            label={t('Manage')}
+            isDisabled={Boolean(selectedPrice) && isBusy}
+            onClick={onClickManage}
+            isFullWidth
+          />
+        )}
+        {!isSubscribedAddOnPrice && (
+          <BillingButton
+            size={'m'}
+            label={t('Buy now')}
+            isDisabled={Boolean(selectedPrice) && isBusy}
+            onClick={onClickBuy}
+            isFullWidth
+          />
+        )}
+      </div>
+    </>
+  );
+
+  return (
+    <tr className={styles.row}>
+      <td className={styles.productName}>
+        {displayName}
+        {description && <p className={styles.description}>{description}</p>}
+        <div className={styles.mobileView}>
+          {priceTableCells}
+        </div>
+      </td>
+      <td className={styles.price}>
+        <div className={styles.oneTime}>
+          <KoboSelect3
+            size='m'
+            name='products'
+            options={products.map((product) => {
+              return {value: product.id, label: product.name};
+            })}
+            onChange={(productId) => onChangeProduct(productId as string)}
+            value={selectedProduct.id}
+          />
+          {displayName === 'File Storage' ? (
+            <KoboSelect3
+              size={'fit'}
+              name={t('prices')}
+              options={priceOptions}
+              onChange={onChangePrice}
+              value={selectedPrice.id}
+            />
+          ) : (
+            <KoboSelect3
+              size={'fit'}
+              name={t('quantity')}
+              options={quantityOptions}
+              onChange={onChangeQuantity}
+              value={quantity}
+            />
+          )}
+        </div>
+      </td>
+      <td className={styles.fullScreen}>
+        {priceTableCells}
+      </td>
+    </tr>
+  );
+};
diff --git a/jsapp/js/account/add-ons/updateBadge.component..tsx b/jsapp/js/account/add-ons/updateBadge.component..tsx
new file mode 100644
index 0000000000..5d69466201
--- /dev/null
+++ b/jsapp/js/account/add-ons/updateBadge.component..tsx
@@ -0,0 +1,62 @@
+import {
+  BaseProduct,
+  Price,
+  SubscriptionChangeType,
+  SubscriptionInfo,
+} from 'js/account/stripe.types';
+import Badge, {BadgeColor} from 'js/components/common/badge';
+import {formatDate} from 'js/utils';
+import React from 'react';
+
+interface UpdateBadgeProps {
+  price: Price;
+  subscriptionUpdate: {
+    type: SubscriptionChangeType;
+    nextProduct: BaseProduct | null;
+    date: string;
+  };
+  currentAddon: SubscriptionInfo | null;
+}
+
+export const UpdateBadge = ({
+  price,
+  subscriptionUpdate,
+  currentAddon,
+}: UpdateBadgeProps) => {
+  let color: BadgeColor;
+  let label;
+  switch (subscriptionUpdate.type) {
+    case SubscriptionChangeType.CANCELLATION:
+      color = 'light-red';
+      label = t('Ends on ##cancel_date##').replace(
+        '##cancel_date##',
+        formatDate(subscriptionUpdate.date)
+      );
+      break;
+    case SubscriptionChangeType.RENEWAL:
+      color = 'light-blue';
+      label = t('Renews on ##renewal_date##').replace(
+        '##renewal_date##',
+        formatDate(subscriptionUpdate.date)
+      );
+      break;
+    case SubscriptionChangeType.PRODUCT_CHANGE:
+      if (currentAddon?.items[0].price.product.id === price.product) {
+        color = 'light-amber';
+        label = t('Ends on ##end_date##').replace(
+          '##end_date##',
+          formatDate(subscriptionUpdate.date)
+        );
+      } else {
+        color = 'light-teal';
+        label = t('Starts on ##start_date##').replace(
+          '##start_date##',
+          formatDate(subscriptionUpdate.date)
+        );
+      }
+      break;
+    default:
+      return null;
+  }
+  return <Badge size={'s'} color={color} label={label} />;
+};
diff --git a/jsapp/js/account/billingContextProvider.component.tsx b/jsapp/js/account/billingContextProvider.component.tsx
index 4a2a590542..6b47c6b07c 100644
--- a/jsapp/js/account/billingContextProvider.component.tsx
+++ b/jsapp/js/account/billingContextProvider.component.tsx
@@ -1,4 +1,5 @@
 import React, {ReactNode} from 'react';
+import { OneTimeAddOnsContext, useOneTimeAddOns } from './useOneTimeAddonList.hook';
 import {UsageContext, useUsage} from 'js/account/usage/useUsage.hook';
 import {ProductsContext, useProducts} from 'js/account/useProducts.hook';
 import sessionStore from 'js/stores/session';
@@ -10,12 +11,16 @@ export const BillingContextProvider = (props: {children: ReactNode}) => {
   if (!sessionStore.isLoggedIn) {
     return <>{props.children}</>;
   }
+  
   const usage = useUsage(orgQuery.data?.id || null);
   const products = useProducts();
+  const oneTimeAddOns = useOneTimeAddOns();
   return (
     <UsageContext.Provider value={usage}>
       <ProductsContext.Provider value={products}>
-        {props.children}
+        <OneTimeAddOnsContext.Provider value={oneTimeAddOns}>
+            {props.children}
+        </OneTimeAddOnsContext.Provider>
       </ProductsContext.Provider>
     </UsageContext.Provider>
   );
diff --git a/jsapp/js/account/plans/billingButton.module.scss b/jsapp/js/account/plans/billingButton.module.scss
index 5780225f62..9665729f25 100644
--- a/jsapp/js/account/plans/billingButton.module.scss
+++ b/jsapp/js/account/plans/billingButton.module.scss
@@ -2,4 +2,5 @@
   display: flex;
   justify-content: center;
   font-weight: 700;
+  flex-shrink: 0;
 }
diff --git a/jsapp/js/account/plans/planContainer.component.tsx b/jsapp/js/account/plans/planContainer.component.tsx
index a9656fbe12..3a36c301b8 100644
--- a/jsapp/js/account/plans/planContainer.component.tsx
+++ b/jsapp/js/account/plans/planContainer.component.tsx
@@ -239,8 +239,8 @@ export const PlanContainer = ({
   const asrMinutes = useMemo(() => {
     return (
       (adjustedQuantity *
-        (parseInt(product.metadata?.nlp_seconds_limit || '0') ||
-          parseInt(product.price.metadata?.nlp_seconds_limit || '0'))) /
+        (parseInt(product.metadata?.asr_seconds_limit || '0') ||
+          parseInt(product.price.metadata?.asr_seconds_limit || '0'))) /
       60
     );
   }, [adjustedQuantity, product]);
@@ -248,8 +248,8 @@ export const PlanContainer = ({
   const mtCharacters = useMemo(() => {
     return (
       adjustedQuantity *
-      (parseInt(product.metadata?.nlp_character_limit || '0') ||
-        parseInt(product.price.metadata?.nlp_character_limit || '0'))
+      (parseInt(product.metadata?.mt_characters_limit || '0') ||
+        parseInt(product.price.metadata?.mt_characters_limit || '0'))
     );
   }, [adjustedQuantity, product]);
 
diff --git a/jsapp/js/account/plans/useDisplayPrice.hook.tsx b/jsapp/js/account/plans/useDisplayPrice.hook.tsx
index 04b1b42089..2edc56ecaa 100644
--- a/jsapp/js/account/plans/useDisplayPrice.hook.tsx
+++ b/jsapp/js/account/plans/useDisplayPrice.hook.tsx
@@ -18,6 +18,12 @@ export const useDisplayPrice = (
       submissionQuantity,
       price.transform_quantity
     );
+    if (!price?.recurring?.interval) {
+      return t('$##price##').replace(
+      '##price##',
+      totalPrice.toFixed(2)
+    );
+    }
     return t('$##price## USD/month').replace(
       '##price##',
       totalPrice.toFixed(2)
diff --git a/jsapp/js/account/stripe.api.ts b/jsapp/js/account/stripe.api.ts
index ad2784c30f..b1e2c267a1 100644
--- a/jsapp/js/account/stripe.api.ts
+++ b/jsapp/js/account/stripe.api.ts
@@ -9,6 +9,7 @@ import type {
   AccountLimit,
   ChangePlan,
   Checkout,
+  OneTimeAddOn,
   Organization,
   PriceMetadata,
   Product,
@@ -22,8 +23,8 @@ import sessionStore from 'js/stores/session';
 
 const DEFAULT_LIMITS: AccountLimit = Object.freeze({
   submission_limit: Limits.unlimited,
-  nlp_seconds_limit: Limits.unlimited,
-  nlp_character_limit: Limits.unlimited,
+  asr_seconds_limit: Limits.unlimited,
+  mt_characters_limit: Limits.unlimited,
   storage_bytes_limit: Limits.unlimited,
 });
 
@@ -33,6 +34,12 @@ export async function getProducts() {
   });
 }
 
+export async function getOneTimeAddOns() {
+  return fetchGet<PaginatedResponse<OneTimeAddOn>>(endpoints.ADD_ONS_URL, {
+    errorMessageDisplay: t('There was an error getting one-time add-ons.'),
+  });
+}
+
 export async function changeSubscription(
   price_id: string,
   subscription_id: string,
@@ -201,10 +208,10 @@ const getFreeTierLimits = async (limits: AccountLimit) => {
     newLimits['submission_limit'] = thresholds.data;
   }
   if (thresholds.translation_chars) {
-    newLimits['nlp_character_limit'] = thresholds.translation_chars;
+    newLimits['mt_characters_limit'] = thresholds.translation_chars;
   }
   if (thresholds.transcription_minutes) {
-    newLimits['nlp_seconds_limit'] = thresholds.transcription_minutes * 60;
+    newLimits['asr_seconds_limit'] = thresholds.transcription_minutes * 60;
   }
   return newLimits;
 };
@@ -232,6 +239,41 @@ const getRecurringAddOnLimits = (limits: AccountLimit) => {
   return newLimits;
 };
 
+/**
+ * Add one-time addon limits to already calculated account limits
+ */
+const addRemainingOneTimeAddOnLimits = (
+  limits: AccountLimit,
+  oneTimeAddOns: OneTimeAddOn[]
+) => {
+  // This yields a separate object, so we need to make a copy
+  limits = {...limits}
+  oneTimeAddOns
+    .filter((addon) => addon.is_available)
+    .forEach((addon) => {
+      if (
+        addon.limits_remaining.submission_limit &&
+        limits.submission_limit !== Limits.unlimited
+      ) {
+        limits.submission_limit += addon.limits_remaining.submission_limit;
+      }
+      if (
+        addon.limits_remaining.asr_seconds_limit &&
+        limits.asr_seconds_limit !== Limits.unlimited
+      ) {
+        limits.asr_seconds_limit += addon.limits_remaining.asr_seconds_limit;
+      }
+      if (
+        addon.limits_remaining.mt_characters_limit &&
+        limits.mt_characters_limit !== Limits.unlimited
+      ) {
+        limits.mt_characters_limit +=
+          addon.limits_remaining.mt_characters_limit;
+      }
+    });
+  return limits;
+};
+
 /**
  * Get all metadata keys for the logged-in user's plan, or from the free tier if they have no plan.
  */
@@ -280,24 +322,33 @@ const getStripeMetadataAndFreeTierStatus = async (products: Product[]) => {
  *  - the `FREE_TIER_THRESHOLDS` override
  *  - the user's subscription limits
  */
-export async function getAccountLimits(products: Product[]) {
+export async function getAccountLimits(
+  products: Product[],
+  oneTimeAddOns: OneTimeAddOn[]
+) {
   const {metadata, hasFreeTier} = await getStripeMetadataAndFreeTierStatus(
     products
   );
 
   // initialize to unlimited
-  let limits: AccountLimit = {...DEFAULT_LIMITS};
+  let recurringLimits: AccountLimit = {...DEFAULT_LIMITS};
 
   // apply any limits from the metadata
-  limits = {...limits, ...getLimitsForMetadata(metadata)};
+  recurringLimits = {...recurringLimits, ...getLimitsForMetadata(metadata)};
 
   if (hasFreeTier) {
     // if the user is on the free tier, overwrite their limits with whatever free tier limits exist
-    limits = await getFreeTierLimits(limits);
+    recurringLimits = await getFreeTierLimits(recurringLimits);
 
-    // if the user has active recurring add-ons, use those as the final say on their limits
-    limits = getRecurringAddOnLimits(limits);
+    // if the user has active recurring add-ons, use those as their limits
+    recurringLimits = getRecurringAddOnLimits(recurringLimits);
   }
 
-  return limits;
+  // create separate object with one-time addon limits added to the limits calculated so far
+  let remainingLimits = addRemainingOneTimeAddOnLimits(
+    recurringLimits,
+    oneTimeAddOns
+  );
+
+  return {recurringLimits, remainingLimits};
 }
diff --git a/jsapp/js/account/stripe.types.ts b/jsapp/js/account/stripe.types.ts
index b77752c2ff..ff867deb5f 100644
--- a/jsapp/js/account/stripe.types.ts
+++ b/jsapp/js/account/stripe.types.ts
@@ -180,11 +180,16 @@ export type LimitAmount = number | 'unlimited';
 
 export interface AccountLimit {
   submission_limit: LimitAmount;
-  nlp_seconds_limit: LimitAmount;
-  nlp_character_limit: LimitAmount;
+  asr_seconds_limit: LimitAmount;
+  mt_characters_limit: LimitAmount;
   storage_bytes_limit: LimitAmount;
 }
 
+export interface AccountLimitDetail {
+  recurringLimits: AccountLimit;
+  remainingLimits: AccountLimit;
+}
+
 export interface Checkout {
   url: string;
 }
@@ -217,3 +222,28 @@ export type ChangePlan =
   | {
       status: ChangePlanStatus.error;
     };
+
+export interface OneTimeAddOn {
+  id: string;
+  created: string;
+  is_available: boolean;
+  usage_limits: Partial<OneTimeUsageLimits>;
+  total_usage_limits: Partial<OneTimeUsageLimits>;
+  limits_remaining: Partial<OneTimeUsageLimits>;
+  organization: string;
+  product: string;
+  quantity: number;
+}
+
+export interface OneTimeUsageLimits {
+  submission_limit: number;
+  asr_seconds_limit: number;
+  mt_characters_limit: number;
+}
+
+export enum USAGE_TYPE {
+  'SUBMISSIONS',
+  'TRANSCRIPTION',
+  'TRANSLATION',
+  'STORAGE',
+}
diff --git a/jsapp/js/account/stripe.utils.ts b/jsapp/js/account/stripe.utils.ts
index cd2350bced..f91296bbe3 100644
--- a/jsapp/js/account/stripe.utils.ts
+++ b/jsapp/js/account/stripe.utils.ts
@@ -1,8 +1,12 @@
 import {when} from 'mobx';
+import prettyBytes from 'pretty-bytes';
+import {useCallback} from 'react';
 
 import {ACTIVE_STRIPE_STATUSES} from 'js/constants';
 import envStore from 'js/envStore';
 import {
+  Limits,
+  USAGE_TYPE,
   Price,
   BaseProduct,
   ChangePlan,
@@ -11,6 +15,7 @@ import {
   SubscriptionChangeType,
   SubscriptionInfo,
   TransformQuantity,
+  LimitAmount,
 } from 'js/account/stripe.types';
 import subscriptionStore from 'js/account/subscriptionStore';
 import {convertUnixTimestampToUtc, notify} from 'js/utils';
@@ -43,12 +48,16 @@ export async function hasActiveSubscription() {
   );
 }
 
-export function isAddonProduct(product: Product) {
-  return product.metadata.product_type === 'addon';
+export function isOneTimeAddonProduct(product: Product) {
+  return product.metadata?.product_type === 'addon_onetime';
 }
 
 export function isRecurringAddonProduct(product: Product) {
-  return product.prices.some((price) => price?.recurring);
+  return product.metadata?.product_type === 'addon';
+}
+
+export function isAddonProduct(product: Product) {
+  return isOneTimeAddonProduct(product) || isRecurringAddonProduct(product);
 }
 
 export function processCheckoutResponse(data: Checkout) {
@@ -215,3 +224,40 @@ export const isDowngrade = (
     getAdjustedQuantityForPrice(newQuantity, price.transform_quantity);
   return currentTotalPrice > newTotalPrice;
 };
+
+/**
+ * Render a limit amount, usage amount, or total balance as readable text
+ * @param {USAGE_TYPE} type - The limit/usage amount
+ * @param {number|'unlimited'} amount - The limit/usage amount
+ * @param {number|'unlimited'|null} [available=null] - If we're showing a balance,
+ * `amount` takes the usage amount and this takes the limit amount
+ */
+export const useLimitDisplay = () => {
+  const limitDisplay = useCallback(
+    (
+      type: USAGE_TYPE,
+      amount: LimitAmount,
+      available: LimitAmount | null = null
+    ) => {
+      if (amount === Limits.unlimited || available === Limits.unlimited) {
+        return t('Unlimited');
+      }
+      const total = available ? available - amount : amount;
+      switch (type) {
+        case USAGE_TYPE.STORAGE:
+          return prettyBytes(total);
+        case USAGE_TYPE.TRANSCRIPTION:
+          return t('##minutes## mins').replace(
+            '##minutes##',
+            typeof total === 'number'
+              ? Math.floor(total).toLocaleString()
+              : total
+          );
+        default:
+          return total.toLocaleString();
+      }
+    },
+    []
+  );
+  return {limitDisplay};
+};
diff --git a/jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.component.tsx b/jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.component.tsx
new file mode 100644
index 0000000000..c19dd7981e
--- /dev/null
+++ b/jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.component.tsx
@@ -0,0 +1,69 @@
+import React, {useContext, useMemo} from 'react';
+import styles from './oneTimeAddOnList.module.scss';
+import {OneTimeAddOn, USAGE_TYPE} from 'jsapp/js/account/stripe.types';
+import {useLimitDisplay} from 'jsapp/js/account/stripe.utils';
+import {ProductsContext} from 'jsapp/js/account/useProducts.hook';
+
+interface OneTimeAddOnList {
+  type: USAGE_TYPE;
+  oneTimeAddOns: OneTimeAddOn[];
+}
+
+function OneTimeAddOnList(props: OneTimeAddOnList) {
+  const [productsContext] = useContext(ProductsContext);
+  const {limitDisplay} = useLimitDisplay();
+
+  const formattedAddOns = useMemo(() => {
+    return props.oneTimeAddOns.map((addon) => {
+      let productName =
+        productsContext.products.find((product) => product.id === addon.product)
+          ?.name ?? 'One-Time Addon';
+
+      let remainingLimit = 0;
+      switch (props.type) {
+        case USAGE_TYPE.SUBMISSIONS:
+          remainingLimit = addon.limits_remaining.submission_limit ?? 0;
+          break;
+        case USAGE_TYPE.TRANSCRIPTION:
+          remainingLimit = addon.limits_remaining.asr_seconds_limit ?? 0;
+          remainingLimit = remainingLimit / 60;
+          break;
+        case USAGE_TYPE.TRANSLATION:
+          remainingLimit = addon.limits_remaining.mt_characters_limit ?? 0;
+          break;
+        default:
+          break;
+      }
+      return {
+        productName,
+        remainingLimit,
+        quantity: addon.quantity,
+      };
+    });
+  }, [props.oneTimeAddOns, props.type, productsContext.isLoaded]);
+
+  return (
+    <div className={styles.oneTimeAddOnListContainer}>
+      {formattedAddOns.map((addon, i) => (
+        <div className={styles.oneTimeAddOnListEntry} key={i}>
+          <label className={styles.productName}>
+            <span>{addon.productName}</span>
+            {addon.quantity > 1 && (
+              <span>
+                &nbsp;x {addon.quantity}
+              </span>
+            )}
+          </label>
+          <div>
+            {t('##REMAINING## remaining').replace(
+              '##REMAINING##',
+              limitDisplay(props.type, addon.remainingLimit)
+            )}
+          </div>
+        </div>
+      ))}
+    </div>
+  );
+}
+
+export default OneTimeAddOnList;
diff --git a/jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.module.scss b/jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.module.scss
new file mode 100644
index 0000000000..529feb5938
--- /dev/null
+++ b/jsapp/js/account/usage/one-time-add-on-usage-modal/one-time-add-on-list/oneTimeAddOnList.module.scss
@@ -0,0 +1,21 @@
+@use 'scss/colors';
+
+
+.oneTimeAddOnListContainer {
+  .oneTimeAddOnListEntry + .oneTimeAddOnListEntry {
+    margin-top: 8px;
+  }
+}
+
+.oneTimeAddOnListEntry {
+  display: flex;
+  justify-content: space-between;
+  padding: 16px;
+  border: 1px solid colors.$kobo-gray-300;
+  border-radius: 6px;
+
+  label {
+    margin-right: 30px;
+    font-weight: 600;
+  }
+}
diff --git a/jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.component.tsx b/jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.component.tsx
new file mode 100644
index 0000000000..a347149937
--- /dev/null
+++ b/jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.component.tsx
@@ -0,0 +1,105 @@
+import React, {useState} from 'react';
+import KoboModal from 'js/components/modals/koboModal';
+import KoboModalHeader from 'js/components/modals/koboModalHeader';
+import styles from './oneTimeAddOnUsageModal.module.scss';
+import {OneTimeAddOn, RecurringInterval, USAGE_TYPE} from '../../stripe.types';
+import {useLimitDisplay} from '../../stripe.utils';
+import OneTimeAddOnList from './one-time-add-on-list/oneTimeAddOnList.component';
+
+interface OneTimeAddOnUsageModalProps {
+  type: USAGE_TYPE;
+  recurringLimit: number;
+  remainingLimit: number;
+  period: RecurringInterval;
+  oneTimeAddOns: OneTimeAddOn[];
+  usage: number;
+}
+
+function OneTimeAddOnUsageModal(props: OneTimeAddOnUsageModalProps) {
+  const [showModal, setShowModal] = useState(false);
+  const toggleModal = () => {
+    setShowModal(!showModal);
+  };
+  const {limitDisplay} = useLimitDisplay();
+
+  const typeTitles: {[key in USAGE_TYPE]: string} = {
+    [USAGE_TYPE.STORAGE]: 'Storage GB',
+    [USAGE_TYPE.SUBMISSIONS]: 'Submissions',
+    [USAGE_TYPE.TRANSCRIPTION]: 'Transcription minutes',
+    [USAGE_TYPE.TRANSLATION]: 'Translation characters',
+  };
+
+  const periodAdjectiveDisplay: {[key in RecurringInterval]: string} = {
+    year: 'yearly',
+    month: 'monthly',
+  };
+
+  return (
+    <>
+      <li>
+        <a className={styles.addonModalTrigger} onClick={toggleModal}>
+          {t('View add-on details')}
+        </a>
+      </li>
+      <KoboModal isOpen={showModal} onRequestClose={toggleModal} size='medium'>
+        <KoboModalHeader headerColor='white' onRequestCloseByX={toggleModal}>
+          {t('Add-on details')}
+        </KoboModalHeader>
+        <section className={styles.addonModalContent}>
+          <div className={styles.addonUsageDetails}>
+            <div className={styles.addonTypeHeader}>
+              {t('##TYPE##').replace('##TYPE##', typeTitles[props.type])}
+            </div>
+            <ul className={styles.usageBreakdown}>
+              <li>
+                <label>
+                  {t('Included with ##PERIOD## plan').replace(
+                    '##PERIOD##',
+                    periodAdjectiveDisplay[props.period]
+                  )}
+                </label>
+                <data>{limitDisplay(props.type, props.recurringLimit)}</data>
+              </li>
+              <li>
+                <label>{t('From add-ons')}</label>
+                <data>
+                  {limitDisplay(
+                    props.type,
+                    props.recurringLimit,
+                    props.remainingLimit
+                  )}
+                </data>
+              </li>
+              <li>
+                <label>
+                  {t('Used this ##PERIOD##').replace(
+                    '##PERIOD##',
+                    props.period
+                  )}
+                </label>
+                <data>{limitDisplay(props.type, props.usage)}</data>
+              </li>
+              <li className={styles.totalAvailable}>
+                <label>
+                  <strong>{t('Total available')}</strong>
+                </label>
+                <data>
+                  <strong>
+                    {limitDisplay(props.type, props.remainingLimit)}
+                  </strong>
+                </data>
+              </li>
+            </ul>
+          </div>
+          <h2 className={styles.listHeaderText}>{t('Purchased add-ons')}</h2>
+          <OneTimeAddOnList
+            oneTimeAddOns={props.oneTimeAddOns}
+            type={props.type}
+          />
+        </section>
+      </KoboModal>
+    </>
+  );
+}
+
+export default OneTimeAddOnUsageModal;
diff --git a/jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.module.scss b/jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.module.scss
new file mode 100644
index 0000000000..6e2e23c862
--- /dev/null
+++ b/jsapp/js/account/usage/one-time-add-on-usage-modal/oneTimeAddOnUsageModal.module.scss
@@ -0,0 +1,57 @@
+
+@use 'scss/colors';
+
+.addonModalTrigger {
+  text-decoration: underline;
+  cursor: pointer;
+}
+
+.addonUsageDetails {
+  ul + .addonTypeHeader {
+    margin-top: 20px;
+  }
+
+  margin-bottom: 32px;
+}
+
+.addonTypeHeader {
+  font-weight: 600;
+  font-size: 12px;
+  color: colors.$kobo-gray-600;
+  text-transform: uppercase;
+}
+
+.addonModalContent {
+  padding: 0 24px 24px 24px;
+}
+
+.usageBreakdown {
+  margin-top: 8px;
+  
+  & > li {
+    display: flex;
+    justify-content: space-between;
+  }
+
+  li + li {
+    margin-top: 8x;
+  }
+
+  li:last-of-type {
+    margin-top: 14px;
+  }
+}
+
+.totalAvailable {
+  padding: 8px 0;
+  border: colors.$kobo-gray-200 1px;
+  border-style: solid none;
+}
+
+.listHeaderText {
+  font-size: 18px;
+  font-weight: 700;
+  color: colors.$kobo-storm;
+  text-transform: uppercase;
+  margin: 0 0 16px 0;
+}
diff --git a/jsapp/js/account/usage/usage.component.tsx b/jsapp/js/account/usage/usage.component.tsx
index 58edca16d1..b4cb480976 100644
--- a/jsapp/js/account/usage/usage.component.tsx
+++ b/jsapp/js/account/usage/usage.component.tsx
@@ -1,20 +1,19 @@
 import {when} from 'mobx';
 import React, {useContext, useEffect, useMemo, useState} from 'react';
 import {useLocation} from 'react-router-dom';
-import type {AccountLimit, LimitAmount} from 'js/account/stripe.types';
-import {Limits} from 'js/account/stripe.types';
+import type {AccountLimitDetail, LimitAmount, OneTimeAddOn} from 'js/account/stripe.types';
+import {Limits, USAGE_TYPE} from 'js/account/stripe.types';
 import {getAccountLimits} from 'js/account/stripe.api';
 import subscriptionStore from 'js/account/subscriptionStore';
 import LoadingSpinner from 'js/components/common/loadingSpinner';
-import UsageContainer, {
-  USAGE_CONTAINER_TYPE,
-} from 'js/account/usage/usageContainer';
+import UsageContainer from 'js/account/usage/usageContainer';
 import envStore from 'js/envStore';
 import {convertSecondsToMinutes, formatDate} from 'js/utils';
 import styles from './usage.module.scss';
 import useWhenStripeIsEnabled from 'js/hooks/useWhenStripeIsEnabled.hook';
 import {ProductsContext} from '../useProducts.hook';
 import {UsageContext} from 'js/account/usage/useUsage.hook';
+import {OneTimeAddOnsContext} from '../useOneTimeAddonList.hook';
 import moment from 'moment';
 import {YourPlan} from 'js/account/usage/yourPlan.component';
 import cx from 'classnames';
@@ -22,10 +21,14 @@ import LimitNotifications from 'js/components/usageLimits/limitNotifications.com
 import {useRefreshApiFetcher} from 'js/hooks/useRefreshApiFetcher.hook';
 
 interface LimitState {
-  storageByteLimit: LimitAmount;
-  nlpCharacterLimit: LimitAmount;
-  nlpMinuteLimit: LimitAmount;
-  submissionLimit: LimitAmount;
+  storageByteRemainingLimit: LimitAmount;
+  storageByteRecurringLimit: LimitAmount;
+  nlpCharacterRemainingLimit: LimitAmount;
+  nlpCharacterRecurringLimit: LimitAmount;
+  nlpMinuteRemainingLimit: LimitAmount;
+  nlpMinuteRecurringLimit: LimitAmount;
+  submissionsRemainingLimit: LimitAmount;
+  submissionsRecurringLimit: LimitAmount;
   isLoaded: boolean;
   stripeEnabled: boolean;
 }
@@ -33,13 +36,18 @@ interface LimitState {
 export default function Usage() {
   const [products] = useContext(ProductsContext);
   const [usage, loadUsage, usageStatus] = useContext(UsageContext);
+  const oneTimeAddOnsContext = useContext(OneTimeAddOnsContext);
   useRefreshApiFetcher(loadUsage, usageStatus);
 
   const [limits, setLimits] = useState<LimitState>({
-    storageByteLimit: Limits.unlimited,
-    nlpCharacterLimit: Limits.unlimited,
-    nlpMinuteLimit: Limits.unlimited,
-    submissionLimit: Limits.unlimited,
+    storageByteRemainingLimit: Limits.unlimited,
+    storageByteRecurringLimit: Limits.unlimited,
+    nlpCharacterRemainingLimit: Limits.unlimited,
+    nlpCharacterRecurringLimit: Limits.unlimited,
+    nlpMinuteRemainingLimit: Limits.unlimited,
+    nlpMinuteRecurringLimit: Limits.unlimited,
+    submissionsRemainingLimit: Limits.unlimited,
+    submissionsRecurringLimit: Limits.unlimited,
     isLoaded: false,
     stripeEnabled: false,
   });
@@ -51,8 +59,15 @@ export default function Usage() {
       !usageStatus.pending &&
       !usageStatus.error &&
       (products.isLoaded || !limits.stripeEnabled) &&
+      limits.isLoaded &&
+      oneTimeAddOnsContext.isLoaded,
+    [
+      usageStatus,
+      products.isLoaded,
       limits.isLoaded,
-    [usageStatus, products.isLoaded, limits.isLoaded, limits.stripeEnabled]
+      limits.stripeEnabled,
+      oneTimeAddOnsContext.isLoaded,
+    ]
   );
 
   const dateRange = useMemo(() => {
@@ -84,9 +99,12 @@ export default function Usage() {
   useEffect(() => {
     const getLimits = async () => {
       await when(() => envStore.isReady);
-      let limits: AccountLimit;
+      let limits: AccountLimitDetail;
       if (envStore.data.stripe_public_key) {
-        limits = await getAccountLimits(products.products);
+        limits = await getAccountLimits(
+          products.products,
+          oneTimeAddOnsContext.oneTimeAddOns
+        );
       } else {
         setLimits((prevState) => {
           return {
@@ -100,13 +118,22 @@ export default function Usage() {
       setLimits((prevState) => {
         return {
           ...prevState,
-          storageByteLimit: limits.storage_bytes_limit,
-          nlpCharacterLimit: limits.nlp_character_limit,
-          nlpMinuteLimit:
-            typeof limits.nlp_seconds_limit === 'number'
-              ? convertSecondsToMinutes(limits.nlp_seconds_limit)
-              : limits.nlp_seconds_limit,
-          submissionLimit: limits.submission_limit,
+          storageByteRemainingLimit: limits.remainingLimits.storage_bytes_limit,
+          storageByteRecurringLimit: limits.recurringLimits.storage_bytes_limit,
+          nlpCharacterRemainingLimit:
+            limits.remainingLimits.mt_characters_limit,
+          nlpCharacterRecurringLimit:
+            limits.recurringLimits.mt_characters_limit,
+          nlpMinuteRemainingLimit:
+            typeof limits.remainingLimits.asr_seconds_limit === 'number'
+              ? convertSecondsToMinutes(limits.remainingLimits.asr_seconds_limit)
+              : limits.remainingLimits.asr_seconds_limit,
+          nlpMinuteRecurringLimit:
+            typeof limits.recurringLimits.asr_seconds_limit === 'number'
+              ? convertSecondsToMinutes(limits.recurringLimits.asr_seconds_limit)
+              : limits.recurringLimits.asr_seconds_limit,
+          submissionsRemainingLimit: limits.remainingLimits.submission_limit,
+          submissionsRecurringLimit: limits.recurringLimits.submission_limit,
           isLoaded: true,
           stripeEnabled: true,
         };
@@ -114,7 +141,57 @@ export default function Usage() {
     };
 
     getLimits();
-  }, [products.isLoaded]);
+  }, [products.isLoaded, oneTimeAddOnsContext.isLoaded]);
+
+  function filterAddOns(type: USAGE_TYPE) {
+    const availableAddons = oneTimeAddOnsContext.oneTimeAddOns.filter(
+      (addon) => addon.is_available
+    );
+    
+    // Find the relevant addons, but first check and make sure add-on
+    // limits aren't superceded by an "unlimited" usage limit.
+    switch (type) {
+      case USAGE_TYPE.SUBMISSIONS:
+        return limits.submissionsRecurringLimit !== Limits.unlimited
+          ? availableAddons.filter(
+              (addon) => addon.total_usage_limits.submission_limit
+            )
+          : [];
+      case USAGE_TYPE.TRANSCRIPTION:
+        return limits.nlpMinuteRecurringLimit !== Limits.unlimited
+          ? availableAddons.filter(
+              (addon) => addon.total_usage_limits.asr_seconds_limit
+            )
+          : [];
+      case USAGE_TYPE.TRANSLATION:
+        return limits.nlpCharacterRecurringLimit !== Limits.unlimited
+          ? availableAddons.filter(
+              (addon) => addon.total_usage_limits.mt_characters_limit
+            )
+          : [];
+      default:
+        return [];
+    }
+  }
+
+  // Find out if any usage type has one-time addons so we can
+  // adjust the formatting of the usage containers to accommodate
+  // a detail link.
+  const hasAddOnsLayout = useMemo(() => {
+    let result = false;
+    for (const type of [
+      USAGE_TYPE.STORAGE,
+      USAGE_TYPE.SUBMISSIONS,
+      USAGE_TYPE.TRANSCRIPTION,
+      USAGE_TYPE.TRANSLATION,
+    ]) {
+      const relevantAddons = filterAddOns(type);
+      if (relevantAddons.length > 0) {
+        result = true;
+      }
+    }
+    return result;
+  }, [oneTimeAddOnsContext.isLoaded, limits.isLoaded]);
 
   // if stripe is enabled, load fresh subscription info whenever we navigate to this route
   useWhenStripeIsEnabled(() => {
@@ -149,8 +226,12 @@ export default function Usage() {
             </span>
             <UsageContainer
               usage={usage.submissions}
-              limit={limits.submissionLimit}
+              remainingLimit={limits.submissionsRemainingLimit}
+              recurringLimit={limits.submissionsRecurringLimit}
+              oneTimeAddOns={filterAddOns(USAGE_TYPE.SUBMISSIONS)}
+              hasAddOnsLayout={hasAddOnsLayout}
               period={usage.trackingPeriod}
+              type={USAGE_TYPE.SUBMISSIONS}
             />
           </div>
           <div className={styles.box}>
@@ -160,10 +241,13 @@ export default function Usage() {
             </span>
             <UsageContainer
               usage={usage.storage}
-              limit={limits.storageByteLimit}
+              remainingLimit={limits.storageByteRemainingLimit}
+              recurringLimit={limits.storageByteRecurringLimit}
+              oneTimeAddOns={filterAddOns(USAGE_TYPE.STORAGE)}
+              hasAddOnsLayout={hasAddOnsLayout}
               period={usage.trackingPeriod}
               label={t('Total')}
-              type={USAGE_CONTAINER_TYPE.STORAGE}
+              type={USAGE_TYPE.STORAGE}
             />
           </div>
         </div>
@@ -177,9 +261,12 @@ export default function Usage() {
             </span>
             <UsageContainer
               usage={usage.transcriptionMinutes}
-              limit={limits.nlpMinuteLimit}
+              remainingLimit={limits.nlpMinuteRemainingLimit}
+              recurringLimit={limits.nlpMinuteRecurringLimit}
+              oneTimeAddOns={filterAddOns(USAGE_TYPE.TRANSCRIPTION)}
+              hasAddOnsLayout={hasAddOnsLayout}
               period={usage.trackingPeriod}
-              type={USAGE_CONTAINER_TYPE.TRANSCRIPTION}
+              type={USAGE_TYPE.TRANSCRIPTION}
             />
           </div>
           <div className={styles.box}>
@@ -191,8 +278,12 @@ export default function Usage() {
             </span>
             <UsageContainer
               usage={usage.translationChars}
-              limit={limits.nlpCharacterLimit}
+              remainingLimit={limits.nlpCharacterRemainingLimit}
+              recurringLimit={limits.nlpCharacterRecurringLimit}
+              oneTimeAddOns={filterAddOns(USAGE_TYPE.TRANSLATION)}
+              hasAddOnsLayout={hasAddOnsLayout}
               period={usage.trackingPeriod}
+              type={USAGE_TYPE.TRANSLATION}
             />
           </div>
         </div>
diff --git a/jsapp/js/account/usage/usageContainer.tsx b/jsapp/js/account/usage/usageContainer.tsx
index 7de56ccdce..6768dfaf30 100644
--- a/jsapp/js/account/usage/usageContainer.tsx
+++ b/jsapp/js/account/usage/usageContainer.tsx
@@ -1,127 +1,127 @@
-import prettyBytes from 'pretty-bytes';
-import React, {useCallback, useMemo, useState} from 'react';
-import type {LimitAmount, RecurringInterval} from 'js/account/stripe.types';
+import React, {useMemo, useState} from 'react';
+import type {
+  LimitAmount,
+  OneTimeAddOn,
+  RecurringInterval,
+} from 'js/account/stripe.types';
 import Icon from 'js/components/common/icon';
 import styles from 'js/account/usage/usageContainer.module.scss';
 import {USAGE_WARNING_RATIO} from 'js/constants';
-import {Limits} from 'js/account/stripe.types';
+import {Limits, USAGE_TYPE} from 'js/account/stripe.types';
+import {useLimitDisplay} from '../stripe.utils';
 import cx from 'classnames';
 import subscriptionStore from 'js/account/subscriptionStore';
 import Badge from 'js/components/common/badge';
 import useWhenStripeIsEnabled from 'js/hooks/useWhenStripeIsEnabled.hook';
-
-export enum USAGE_CONTAINER_TYPE {
-  'TRANSCRIPTION',
-  'STORAGE',
-}
+import OneTimeAddOnUsageModal from './one-time-add-on-usage-modal/oneTimeAddOnUsageModal.component';
 
 interface UsageContainerProps {
   usage: number;
-  limit: LimitAmount;
+  remainingLimit: LimitAmount;
+  recurringLimit: LimitAmount;
+  oneTimeAddOns: OneTimeAddOn[];
+  hasAddOnsLayout: boolean;
   period: RecurringInterval;
   label?: string;
-  type?: USAGE_CONTAINER_TYPE;
+  type: USAGE_TYPE;
 }
 
 const UsageContainer = ({
   usage,
-  limit,
+  remainingLimit,
+  recurringLimit,
+  oneTimeAddOns,
+  hasAddOnsLayout,
   period,
+  type,
   label = undefined,
-  type = undefined,
 }: UsageContainerProps) => {
   const [isStripeEnabled, setIsStripeEnabled] = useState(false);
   const [subscriptions] = useState(() => subscriptionStore);
-  const hasStorageAddOn = useMemo(
+  const hasRecurringAddOn = useMemo(
     () => subscriptions.addOnsResponse.length > 0,
     [subscriptions.addOnsResponse]
   );
+
+  const displayOneTimeAddons = useMemo(
+    () => oneTimeAddOns.length > 0,
+    [oneTimeAddOns]
+  );
+
+  const {limitDisplay} = useLimitDisplay();
+
   useWhenStripeIsEnabled(() => setIsStripeEnabled(true), []);
   let limitRatio = 0;
-  if (limit !== Limits.unlimited && limit) {
-    limitRatio = usage / limit;
+  if (remainingLimit !== Limits.unlimited && remainingLimit) {
+    limitRatio = usage / remainingLimit;
   }
   const isOverLimit = limitRatio >= 1;
   const isNearingLimit = !isOverLimit && limitRatio > USAGE_WARNING_RATIO;
 
-  /**
-   * Render a limit amount, usage amount, or total balance as readable text
-   * @param {number|'unlimited'} amount - The limit/usage amount
-   * @param {number|'unlimited'} [available] - If we're showing a balance,
-   * `amount` takes the usage amount and this takes the limit amount
-   */
-  const limitDisplay = useCallback(
-    (amount: LimitAmount, available?: LimitAmount) => {
-      if (amount === Limits.unlimited || available === Limits.unlimited) {
-        return t('Unlimited');
-      }
-      const total = available ? available - amount : amount;
-      switch (type) {
-        case USAGE_CONTAINER_TYPE.STORAGE:
-          return prettyBytes(total);
-        case USAGE_CONTAINER_TYPE.TRANSCRIPTION:
-          return t('##minutes## mins').replace(
-            '##minutes##',
-            total.toLocaleString()
-          );
-        default:
-          return total.toLocaleString();
-      }
-    },
-    [limit, type, usage]
-  );
-
   return (
-    <>
-      <ul className={cx(styles.usage, {[styles.hasAddon]: hasStorageAddOn})}>
-        {isStripeEnabled && (
-          <li>
-            <label>{t('Available')}</label>
-            <data value={limit}>{limitDisplay(limit)}</data>
-          </li>
-        )}
+    <ul
+      className={cx(styles.usage, {
+        [styles.hasAddon]: hasRecurringAddOn || hasAddOnsLayout,
+      })}
+    >
+      {isStripeEnabled && (
         <li>
+          <label>{t('Available')}</label>
+          <data value={remainingLimit}>
+            {limitDisplay(type, remainingLimit)}
+          </data>
+        </li>
+      )}
+      <li>
+        <label>
+          {label ||
+            (period === 'month' ? t('Used this month') : t('Used this year'))}
+        </label>
+        <data>{limitDisplay(type, usage)}</data>
+      </li>
+      {isStripeEnabled && (
+        <li className={cx(styles.balanceEntry)}>
           <label>
-            {label ||
-              (period === 'month' ? t('Used this month') : t('Used this year'))}
+            <strong>{t('Balance')}</strong>
           </label>
-          <data>{limitDisplay(usage)}</data>
+          <div
+            className={cx(styles.balanceContainer, {
+              [styles.warning]: isNearingLimit,
+              [styles.overlimit]: isOverLimit,
+            })}
+          >
+            {isNearingLimit && <Icon name='warning' color='amber' size='m' />}
+            {isOverLimit && <Icon name='warning' color='mid-red' size='m' />}
+            <strong>{limitDisplay(type, usage, remainingLimit)}</strong>
+          </div>
+        </li>
+      )}
+      {hasRecurringAddOn && type === USAGE_TYPE.STORAGE && (
+        <li>
+          <Badge
+            color={'light-blue'}
+            size={'m'}
+            label={
+              <strong>
+                {subscriptions.addOnsResponse[0].items?.[0].price.product.name}
+              </strong>
+            }
+          />
         </li>
-        {isStripeEnabled && (
-          <li className={cx(styles.balanceEntry)}>
-            <label>
-              <strong>{t('Balance')}</strong>
-            </label>
-            <div
-              className={cx(styles.balanceContainer, {
-                [styles.warning]: isNearingLimit,
-                [styles.overlimit]: isOverLimit,
-              })}
-            >
-              {isNearingLimit && <Icon name='warning' color='amber' size='m' />}
-              {isOverLimit && <Icon name='warning' color='mid-red' size='m' />}
-              <strong>{limitDisplay(usage, limit)}</strong>
-            </div>
-          </li>
-        )}
-        {hasStorageAddOn && type === USAGE_CONTAINER_TYPE.STORAGE && (
-          <li>
-            <Badge
-              color={'light-blue'}
-              size={'m'}
-              label={
-                <strong>
-                  {
-                    subscriptions.addOnsResponse[0].items?.[0].price.product
-                      .name
-                  }
-                </strong>
-              }
-            />
-          </li>
-        )}
-      </ul>
-    </>
+      )}
+      {displayOneTimeAddons && (
+        // We have already checked for "unlimited" limit amounts when filtering the addons,
+        // so we can now cast limits as numbers
+        <OneTimeAddOnUsageModal
+          type={type}
+          recurringLimit={recurringLimit as number}
+          remainingLimit={remainingLimit as number}
+          period={period}
+          oneTimeAddOns={oneTimeAddOns}
+          usage={usage}
+        />
+      )}
+    </ul>
   );
 };
 
diff --git a/jsapp/js/account/useOneTimeAddonList.hook.ts b/jsapp/js/account/useOneTimeAddonList.hook.ts
new file mode 100644
index 0000000000..bb98330f82
--- /dev/null
+++ b/jsapp/js/account/useOneTimeAddonList.hook.ts
@@ -0,0 +1,37 @@
+import {createContext, useState} from 'react';
+import type {
+  OneTimeAddOn,
+} from 'js/account/stripe.types';
+import useWhenStripeIsEnabled from 'js/hooks/useWhenStripeIsEnabled.hook';
+import {getOneTimeAddOns} from 'js/account/stripe.api';
+
+export interface OneTimeAddOnState {
+  oneTimeAddOns: OneTimeAddOn[];
+  isLoaded: boolean;
+}
+
+const INITIAL_ADDONS_STATE: OneTimeAddOnState = Object.freeze({
+  oneTimeAddOns: [],
+  isLoaded: false,
+});
+
+export function useOneTimeAddOns() {
+  const [addons, setAddons] = useState<OneTimeAddOnState>(INITIAL_ADDONS_STATE);
+
+  // get list of addons
+  useWhenStripeIsEnabled(() => {
+    getOneTimeAddOns().then((oneTimeAddOns) => {
+      setAddons(() => {
+        return {
+          oneTimeAddOns: oneTimeAddOns.results,
+          isLoaded: true,
+        };
+      });
+    });
+  }, []);
+
+  return addons;
+}
+
+export const OneTimeAddOnsContext =
+  createContext<OneTimeAddOnState>(INITIAL_ADDONS_STATE);
diff --git a/jsapp/js/api.endpoints.ts b/jsapp/js/api.endpoints.ts
index 5a4c6e899d..8dc21499db 100644
--- a/jsapp/js/api.endpoints.ts
+++ b/jsapp/js/api.endpoints.ts
@@ -3,6 +3,7 @@ export const endpoints = {
   ME_URL: '/me/',
   PRODUCTS_URL: '/api/v2/stripe/products/',
   SUBSCRIPTION_URL: '/api/v2/stripe/subscriptions/',
+  ADD_ONS_URL: '/api/v2/stripe/addons/',
   ORGANIZATION_URL: '/api/v2/organizations/',
   /** Expected parameters: price_id and organization_id **/
   CHECKOUT_URL: '/api/v2/stripe/checkout-link',
diff --git a/jsapp/js/components/modals/koboModal.scss b/jsapp/js/components/modals/koboModal.scss
index a314f6c703..e50111c307 100644
--- a/jsapp/js/components/modals/koboModal.scss
+++ b/jsapp/js/components/modals/koboModal.scss
@@ -137,7 +137,6 @@ $kobo-modal-header-icon-margin: 10px;
   &.kobo-modal__footer--end {
     justify-content: flex-end;
   }
-
 }
 
 // If the KoboModalContent component is used together with the KoboModalFooter
diff --git a/jsapp/js/components/special/koboAccessibleSelect.module.scss b/jsapp/js/components/special/koboAccessibleSelect.module.scss
index 2fab6f334e..406f5cd487 100644
--- a/jsapp/js/components/special/koboAccessibleSelect.module.scss
+++ b/jsapp/js/components/special/koboAccessibleSelect.module.scss
@@ -16,6 +16,18 @@ $input-color: colors.$kobo-gray-800;
   font-size: 12px;
 }
 
+.m {
+  width: 60%;
+}
+
+.s {
+  width: 8em;
+}
+
+.fit {
+  width: min-content;
+}
+
 // Dropdown trigger.
 // A focusable input that receives keyboard shortcuts and mouse clicks
 .trigger {
@@ -93,7 +105,9 @@ $k-select-menu-padding: 6px;
 // Menu containing a list of options.
 .menu {
   display: none;
-  &[data-expanded='true'] {display: block;}
+  &[data-expanded='true'] {
+    display: block;
+  }
   user-select: none;
 
   position: absolute;
diff --git a/jsapp/js/components/special/koboAccessibleSelect.tsx b/jsapp/js/components/special/koboAccessibleSelect.tsx
index cab407999b..dedaeb4d97 100644
--- a/jsapp/js/components/special/koboAccessibleSelect.tsx
+++ b/jsapp/js/components/special/koboAccessibleSelect.tsx
@@ -40,17 +40,21 @@ export default function KoboSelect3(props: KoboSelect3Props) {
       return NOTHING_SELECTED;
     }
   };
-  const findPropOption = () => (
-    props.options.find((o) => o.value === props.value) || NOTHING_SELECTED
-  );
-  const indexOfPropOption = () => (
-    props.options.findIndex((o) => o.value === props.value)
-  );
+  const findPropOption = () =>
+    props.options.find((o) => o.value === props.value) || NOTHING_SELECTED;
+  const indexOfPropOption = () =>
+    props.options.findIndex((o) => o.value === props.value);
   const homeIndex = () => (props.isClearable ? -1 : 0); // first or deselection
-  const endIndex = () => (props.options.length - 1);
-  const openMenu = () => {setExpanded(true);};
-  const closeMenu = () => {setExpanded(false);};
-  const toggleMenu = () => {setExpanded((b) => !b);};
+  const endIndex = () => props.options.length - 1;
+  const openMenu = () => {
+    setExpanded(true);
+  };
+  const closeMenu = () => {
+    setExpanded(false);
+  };
+  const toggleMenu = () => {
+    setExpanded((b) => !b);
+  };
   const resetRefs = () => {
     // Reset refs to prop value; we do this in more than one place
     indexRef.current = indexOfPropOption();
@@ -77,11 +81,10 @@ export default function KoboSelect3(props: KoboSelect3Props) {
     const combining = /[\u0300-\u036F]/g;
     return str.normalize('NFKD').replace(combining, '');
   };
-  const matchesBeginningOf = (needle: string, haystack: string) => (
-    closestAscii(haystack).toLowerCase().startsWith(
-      closestAscii(needle).toLowerCase()
-    )
-  );
+  const matchesBeginningOf = (needle: string, haystack: string) =>
+    closestAscii(haystack)
+      .toLowerCase()
+      .startsWith(closestAscii(needle).toLowerCase());
   const jumpToNextPrefixMatch = (prefix: string) => {
     const start = (indexRef.current + 1) % props.options.length;
     for (let i = 0; i < props.options.length; i++) {
@@ -97,39 +100,55 @@ export default function KoboSelect3(props: KoboSelect3Props) {
 
   // If there's a valid selection, indexRef and optionRef are up-to-date.
   // Otherwise, indexRef is -1 and optionRef is NOTHING_SELECTED.
-  if (!expanded) {resetRefs();}
+  if (!expanded) {
+    resetRefs();
+  }
 
   // Do what we need to do if the options list changes
   useEffect(() => {
     resetRefs();
-    if (expanded) {scrollOptionIntoView();}
+    if (expanded) {
+      scrollOptionIntoView();
+    }
   }, [props.options]);
 
   // Ensure selected option is visible as the menu opens
   useEffect(() => {
-    if (expanded) {scrollOptionIntoView();}
+    if (expanded) {
+      scrollOptionIntoView();
+    }
   }, [expanded]);
 
   // Refs and helpers for letter cycling / prefix matching.
   const cycle = useRef(true);
   const buffer = useRef('');
   const lastLetterTime = useRef(0); // millis
-  const beginMatchMode = () => {cycle.current = false;};
-  const cancelMatchMode = () => {cycle.current = true; buffer.current = '';};
+  const beginMatchMode = () => {
+    cycle.current = false;
+  };
+  const cancelMatchMode = () => {
+    cycle.current = true;
+    buffer.current = '';
+  };
   const emulateBrowserSelectLetterMatching = (eventKey: string) => {
     // Some non-letter keys cancel MATCH mode regardless of timing
     if (/(Tab|Enter|Esc|Home|End|Arrow|Page)/.test(eventKey)) {
-      cancelMatchMode(); return;
+      cancelMatchMode();
+      return;
     }
 
     // The rest of this function deals with single-letter keystroke events.
-    if (eventKey.length > 1) {return;}
+    if (eventKey.length > 1) {
+      return;
+    }
 
     // Check what time it is.
     // If it's been more than a second since the last letter, we revert to
     // CYCLE mode.
     const now = Date.now(); // current time in milliseconds
-    if (now - lastLetterTime.current > 1000) {cancelMatchMode();}
+    if (now - lastLetterTime.current > 1000) {
+      cancelMatchMode();
+    }
     lastLetterTime.current = now; // remember time of this letter keystroke
 
     // Begin MATCH mode if encountering a new letter while in cycle mode
@@ -139,14 +158,19 @@ export default function KoboSelect3(props: KoboSelect3Props) {
     //        ångström       (a)
     //        atom
     //        disco                                      (d)
-    if (cycle.current && buffer.current.length > 0 &&
+    if (
+      cycle.current &&
+      buffer.current.length > 0 &&
       // Compare key (e.g. 'a') with first letter of (cycled) buffer, ('aaa')
-      !matchesBeginningOf(eventKey, buffer.current)) {
+      !matchesBeginningOf(eventKey, buffer.current)
+    ) {
       beginMatchMode();
     }
 
     // Space ' ' doesn't cycle or start a buffer, but it may appear in a match
-    if (eventKey === ' ' && buffer.current.length === 0) {return;}
+    if (eventKey === ' ' && buffer.current.length === 0) {
+      return;
+    }
 
     // Append the current letter to the letter buffer.
     buffer.current += eventKey;
@@ -245,7 +269,9 @@ export default function KoboSelect3(props: KoboSelect3Props) {
     forceUpdate();
   };
 
-  const triggerBlurHandler = () => {closeMenu();};
+  const triggerBlurHandler = () => {
+    closeMenu();
+  };
   const triggerMouseDownHandler = (e: React.MouseEvent) => {
     if (e.button === 0) {
       toggleMenu();
@@ -269,10 +295,12 @@ export default function KoboSelect3(props: KoboSelect3Props) {
     }
     forceUpdate();
   };
-  const preventDefault = (e: React.UIEvent) => {e.preventDefault();};
+  const preventDefault = (e: React.UIEvent) => {
+    e.preventDefault();
+  };
 
   return (
-    <div className={styles.root}>
+    <div className={cx(styles.root, props.size && styles[props.size])}>
       <label className={styles.label} htmlFor={'select-' + props.name}>
         {props.label}
         {props.required && <span className={styles.redAsterisk}> * </span>}
@@ -282,7 +310,7 @@ export default function KoboSelect3(props: KoboSelect3Props) {
         className={cx(
           styles.trigger,
           props.value || styles.placeholding,
-          props.error && styles.hasError,
+          props.error && styles.hasError
         )}
         type='button'
         // ARIA. There's room for improvement here.
@@ -327,7 +355,7 @@ export default function KoboSelect3(props: KoboSelect3Props) {
             key={option.value}
             className={cx(
               styles.option,
-              optionRef.current.value === option.value && styles.selected,
+              optionRef.current.value === option.value && styles.selected
             )}
             data-value={option.value}
           >
@@ -336,11 +364,14 @@ export default function KoboSelect3(props: KoboSelect3Props) {
           </div>
         ))}
       </div>
-      <input type='hidden' name={props.name} value={props.value} required={props.required} />
+      <input
+        type='hidden'
+        name={props.name}
+        value={props.value}
+        required={props.required}
+      />
       {/* Like other input fields */}
-      {props.error && <p className={styles.error}>
-         {props.error}
-      </p>}
+      {props.error && <p className={styles.error}>{props.error}</p>}
     </div>
   );
 }
@@ -371,9 +402,9 @@ interface KoboSelect3Props {
   // isPending?: boolean; // TODO
 
   // design system
-  // size?: 'l' | 'm' | 's'; // oops, all 'l'.
+  // size?: 'l' | 'm' | 's' | 'fit'; // 'fit' uses min-content
   // type?: 'blue' | 'gray' | 'outline'; // oops, all 'outline'
-  size?: 'l';
+  size?: 'l' | 'm' | 's' | 'fit';
   type?: 'outline';
   noMaxMenuHeight?: boolean; // Override 4.5 item height limit
 
diff --git a/jsapp/js/components/usageLimits/useExceedingLimits.hook.ts b/jsapp/js/components/usageLimits/useExceedingLimits.hook.ts
index 2aa831db66..a258e40426 100644
--- a/jsapp/js/components/usageLimits/useExceedingLimits.hook.ts
+++ b/jsapp/js/components/usageLimits/useExceedingLimits.hook.ts
@@ -8,6 +8,7 @@ import {when} from 'mobx';
 import subscriptionStore from 'js/account/subscriptionStore';
 import {UsageContext} from 'js/account/usage/useUsage.hook';
 import {ProductsContext} from 'jsapp/js/account/useProducts.hook';
+import {OneTimeAddOnsContext} from 'jsapp/js/account/useOneTimeAddonList.hook';
 
 interface SubscribedState {
   subscribedProduct: null | SubscriptionInfo;
@@ -25,6 +26,7 @@ export const useExceedingLimits = () => {
   const [state, dispatch] = useReducer(subscriptionReducer, initialState);
   const [usage, _, usageStatus] = useContext(UsageContext);
   const [productsContext] = useContext(ProductsContext);
+  const oneTimeAddOnsContext = useContext(OneTimeAddOnsContext);
 
   const [exceedList, setExceedList] = useState<string[]>([]);
   const [warningList, setWarningList] = useState<string[]>([]);
@@ -45,16 +47,24 @@ export const useExceedingLimits = () => {
 
   // Get products and get default limits for community plan
   useWhenStripeIsEnabled(() => {
-    getAccountLimits(productsContext.products).then((limits) => {
-      setSubscribedSubmissionLimit(limits.submission_limit);
-      setSubscribedStorageLimit(limits.storage_bytes_limit);
-      setTranscriptionMinutes(
-        convertSecondsToMinutes(Number(limits.nlp_seconds_limit))
-      );
-      setTranslationChars(Number(limits.nlp_character_limit));
-      setAreLimitsLoaded(true);
-    });
-  }, [productsContext.products]);
+    if (productsContext.isLoaded && oneTimeAddOnsContext.isLoaded) {
+      getAccountLimits(
+        productsContext.products,
+        oneTimeAddOnsContext.oneTimeAddOns
+      ).then((limits) => {
+        setSubscribedSubmissionLimit(limits.remainingLimits.submission_limit);
+        setSubscribedStorageLimit(limits.remainingLimits.storage_bytes_limit);
+        setTranscriptionMinutes(limits.remainingLimits.asr_seconds_limit);
+        setTranslationChars(limits.remainingLimits.mt_characters_limit);
+        setAreLimitsLoaded(true);
+      });
+    }
+  }, [
+    productsContext.isLoaded,
+    productsContext.products,
+    oneTimeAddOnsContext.isLoaded,
+    oneTimeAddOnsContext.oneTimeAddOns,
+  ]);
 
   // Get subscription data
   useWhenStripeIsEnabled(
diff --git a/jsapp/js/featureFlags.ts b/jsapp/js/featureFlags.ts
index 30ec3015b6..9e5c7884db 100644
--- a/jsapp/js/featureFlags.ts
+++ b/jsapp/js/featureFlags.ts
@@ -4,7 +4,8 @@
  */
 export enum FeatureFlag {
   activityLogsEnabled = 'activityLogsEnabled',
-  mmosEnabled = 'mmosEnabled'
+  mmosEnabled = 'mmosEnabled',
+  oneTimeAddonsEnabled = 'oneTimeAddonsEnabled'
 }
 
 /**
diff --git a/kobo/apps/audit_log/signals.py b/kobo/apps/audit_log/signals.py
index cd143bf208..daab6dc9cb 100644
--- a/kobo/apps/audit_log/signals.py
+++ b/kobo/apps/audit_log/signals.py
@@ -5,6 +5,7 @@
 from kpi.models import ImportTask
 from kpi.tasks import import_in_background
 from kpi.utils.log import logging
+
 from .models import AccessLog, ProjectHistoryLog
 
 
diff --git a/kobo/apps/hook/tests/hook_test_case.py b/kobo/apps/hook/tests/hook_test_case.py
index 6dc51ce796..bdf20dec0b 100644
--- a/kobo/apps/hook/tests/hook_test_case.py
+++ b/kobo/apps/hook/tests/hook_test_case.py
@@ -2,6 +2,7 @@
 import uuid
 
 from kpi.tests.kpi_test_case import KpiTestCase
+
 from ..models import Hook
 from ..utils.tests.mixins import HookTestCaseMixin
 
diff --git a/kobo/apps/hook/utils/tests/mixins.py b/kobo/apps/hook/utils/tests/mixins.py
index 6453751044..d166d78d94 100644
--- a/kobo/apps/hook/utils/tests/mixins.py
+++ b/kobo/apps/hook/utils/tests/mixins.py
@@ -5,11 +5,11 @@
 from django.urls import reverse
 from rest_framework import status
 
-from kpi.constants import SUBMISSION_FORMAT_TYPE_JSON, SUBMISSION_FORMAT_TYPE_XML
-from kpi.exceptions import BadFormatException
 from kobo.apps.hook.constants import HOOK_LOG_FAILED
 from kobo.apps.hook.exceptions import HookRemoteServerDownError
 from kobo.apps.hook.models import HookLog
+from kpi.constants import SUBMISSION_FORMAT_TYPE_JSON, SUBMISSION_FORMAT_TYPE_XML
+from kpi.exceptions import BadFormatException
 
 
 class HookTestCaseMixin:
@@ -31,15 +31,13 @@ def _create_hook(self, return_response_only=False, **kwargs):
         data = {
             'name': kwargs.get('name', 'some external service with token'),
             'endpoint': kwargs.get('endpoint', 'http://external.service.local/'),
-            'settings': kwargs.get('settings', {
-                'custom_headers': {
-                    'X-Token': '1234abcd'
-                }
-            }),
+            'settings': kwargs.get(
+                'settings', {'custom_headers': {'X-Token': '1234abcd'}}
+            ),
             'export_type': format_type,
             'active': kwargs.get('active', True),
             'subset_fields': kwargs.get('subset_fields', []),
-            'payload_template': kwargs.get('payload_template', None)
+            'payload_template': kwargs.get('payload_template', None),
         }
 
         response = self.client.post(url, data, format='json')
@@ -98,10 +96,13 @@ def _send_and_wait_for_retry(self):
             service_definition.send()
 
         # Retrieve the corresponding log
-        url = reverse('hook-log-list', kwargs={
-            'parent_lookup_asset': self.hook.asset.uid,
-            'parent_lookup_hook': self.hook.uid
-        })
+        url = reverse(
+            'hook-log-list',
+            kwargs={
+                'parent_lookup_asset': self.hook.asset.uid,
+                'parent_lookup_hook': self.hook.uid,
+            },
+        )
 
         response = self.client.get(url)
         first_hooklog_response = response.data.get('results')[0]
diff --git a/kobo/apps/kobo_auth/models.py b/kobo/apps/kobo_auth/models.py
index f81891682d..4aec847447 100644
--- a/kobo/apps/kobo_auth/models.py
+++ b/kobo/apps/kobo_auth/models.py
@@ -6,7 +6,7 @@
     OPENROSA_APP_LABELS,
 )
 from kobo.apps.openrosa.libs.permissions import get_model_permission_codenames
-from kobo.apps.organizations.models import create_organization, Organization
+from kobo.apps.organizations.models import Organization, create_organization
 from kpi.utils.database import update_autofield_sequence, use_db
 from kpi.utils.permissions import is_user_anonymous
 
@@ -57,9 +57,11 @@ def organization(self):
             return
 
         # Database allows multiple organizations per user, but we restrict it to one.
-        if organization := Organization.objects.filter(
-            organization_users__user=self
-        ).order_by('-organization_users__created').first():
+        if (
+            organization := Organization.objects.filter(organization_users__user=self)
+            .order_by('-organization_users__created')
+            .first()
+        ):
             return organization
 
         try:
diff --git a/kobo/apps/openrosa/apps/api/tests/viewsets/test_xform_submission_api.py b/kobo/apps/openrosa/apps/api/tests/viewsets/test_xform_submission_api.py
index cf0319fa7e..47b413a01c 100644
--- a/kobo/apps/openrosa/apps/api/tests/viewsets/test_xform_submission_api.py
+++ b/kobo/apps/openrosa/apps/api/tests/viewsets/test_xform_submission_api.py
@@ -378,9 +378,9 @@ def test_post_submission_json_without_submission_key(self):
         self.assertContains(response, 'No submission key provided.', status_code=400)
 
     def test_submission_blocking_flag(self):
-        # Set 'submissions_suspended' True in the profile metadata to test if
+        # Set 'submissions_suspended' True in the profile to test if
         # submission do fail with the flag set
-        self.xform.user.profile.metadata['submissions_suspended'] = True
+        self.xform.user.profile.submissions_suspended = True
         self.xform.user.profile.save()
 
         # No need auth for this test
@@ -421,7 +421,7 @@ def test_submission_blocking_flag(self):
                 f.seek(0)
 
                 # check that users can submit data again when flag is removed
-                self.xform.user.profile.metadata['submissions_suspended'] = False
+                self.xform.user.profile.submissions_suspended = False
                 self.xform.user.profile.save()
 
                 request = self.factory.post(
diff --git a/kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py b/kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py
index 7854c2ab0f..995fe89c48 100644
--- a/kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py
+++ b/kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py
@@ -27,6 +27,7 @@
     TokenAuthentication,
 )
 from kpi.utils.object_permission import get_database_user
+
 from ..utils.rest_framework.viewsets import OpenRosaGenericViewSet
 
 xml_error_re = re.compile('>(.*)<')
diff --git a/kobo/apps/openrosa/apps/logger/management/commands/populate_submission_counters.py b/kobo/apps/openrosa/apps/logger/management/commands/populate_submission_counters.py
index cbaf2f0142..1943294250 100644
--- a/kobo/apps/openrosa/apps/logger/management/commands/populate_submission_counters.py
+++ b/kobo/apps/openrosa/apps/logger/management/commands/populate_submission_counters.py
@@ -7,7 +7,7 @@
 from django.conf import settings
 from django.core.management.base import BaseCommand
 from django.db import transaction
-from django.db.models import Count, Value, F, DateField
+from django.db.models import Count, DateField, F, Value
 from django.db.models.functions import Cast, Concat
 from django.utils import timezone
 
@@ -22,14 +22,14 @@
 
 class Command(BaseCommand):
 
-    help = "Updates monthly and daily submission counters"
+    help = 'Updates monthly and daily submission counters'
 
     def add_arguments(self, parser):
         parser.add_argument(
             '--chunks',
             type=int,
             default=2000,
-            help="Number of records to process per query"
+            help='Number of records to process per query',
         )
 
         days_default = settings.DAILY_COUNTERS_MAX_DAYS
@@ -38,8 +38,8 @@ def add_arguments(self, parser):
             type=int,
             default=days_default,
             help=(
-                f"Number of days taken into account to populate the counters. "
-                f"Default is {days_default}"
+                f'Number of days taken into account to populate the counters. '
+                f'Default is {days_default}'
             ),
         )
 
@@ -212,15 +212,15 @@ def suspend_submissions_for_user(self, user: settings.AUTH_USER_MODEL):
             user_profile.metadata = {}
 
         # Set the flag `submissions_suspended` to true if it is not already.
-        if not user_profile.metadata.get('submissions_suspended'):
+        if not user_profile.submissions_suspended:
             # We are using the flag `submissions_suspended` to prevent
             # new submissions from coming in while the
             # counters are being calculated.
-            user_profile.metadata['submissions_suspended'] = True
-            user_profile.save(update_fields=['metadata'])
+            user_profile.submissions_suspended = True
+            user_profile.save(update_fields=['submissions_suspended'])
 
     def release_old_locks(self):
-        updates = {'submissions_suspended': False}
+        updates = {}
 
         if self._force:
             updates['counters_updates_status'] = 'not-complete'
@@ -231,12 +231,12 @@ def release_old_locks(self):
                 'metadata',
                 updates=updates,
             ),
+            submissions_suspended=False,
         )
 
     def update_user_profile(self, user: settings.AUTH_USER_MODEL):
         # Update user's profile (and lock the related row)
         updates = {
-            'submissions_suspended': False,
             'counters_updates_status': 'complete',
         }
         UserProfile.objects.filter(
@@ -246,4 +246,5 @@ def update_user_profile(self, user: settings.AUTH_USER_MODEL):
                 'metadata',
                 updates=updates,
             ),
+            submissions_suspended=False,
         )
diff --git a/kobo/apps/openrosa/apps/logger/management/commands/update_attachment_storage_bytes.py b/kobo/apps/openrosa/apps/logger/management/commands/update_attachment_storage_bytes.py
index 0f6e328964..bdf382c327 100644
--- a/kobo/apps/openrosa/apps/logger/management/commands/update_attachment_storage_bytes.py
+++ b/kobo/apps/openrosa/apps/logger/management/commands/update_attachment_storage_bytes.py
@@ -3,7 +3,7 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.core.management.base import BaseCommand
-from django.db.models import Sum, OuterRef, Subquery
+from django.db.models import OuterRef, Subquery, Sum
 
 from kobo.apps.openrosa.apps.logger.models.attachment import Attachment
 from kobo.apps.openrosa.apps.logger.models.xform import XForm
@@ -28,7 +28,7 @@ def add_arguments(self, parser):
             '--chunks',
             type=int,
             default=2000,
-            help="Number of records to process per query"
+            help='Number of records to process per query',
         )
 
         parser.add_argument(
@@ -199,24 +199,19 @@ def _lock_user_profile(self, user: settings.AUTH_USER_MODEL):
             user_profile.metadata = {}
 
         # Set the flag to true if it was never set.
-        if not user_profile.metadata.get('submissions_suspended'):
+        if not user_profile.submissions_suspended:
             # We are using the flag `submissions_suspended` to prevent
             # new submissions from coming in while the
             # `attachment_storage_bytes` is being calculated.
-            user_profile.metadata['submissions_suspended'] = True
-            user_profile.save(update_fields=['metadata'])
+            user_profile.submissions_suspended = True
+            user_profile.save(update_fields=['submissions_suspended'])
 
     def _release_locks(self):
         # Release any locks on the users' profile from getting submissions
         if self._verbosity > 1:
             self.stdout.write('Releasing submission locks…')
 
-        UserProfile.objects.all().update(
-            metadata=ReplaceValues(
-                'metadata',
-                updates={'submissions_suspended': False},
-            ),
-        )
+        UserProfile.objects.all().update(submissions_suspended=False)
 
     def _reset_user_profile_counters(self):
 
@@ -251,7 +246,6 @@ def _update_user_profile(self, user: settings.AUTH_USER_MODEL):
 
         # Update user's profile (and lock the related row)
         updates = {
-            'submissions_suspended': False,
             'attachments_counting_status': 'complete',
         }
 
@@ -271,4 +265,5 @@ def _update_user_profile(self, user: settings.AUTH_USER_MODEL):
                 'metadata',
                 updates=updates,
             ),
+            submissions_suspended=False,
         )
diff --git a/kobo/apps/openrosa/apps/logger/migrations/0029_populate_daily_xform_counters_for_year.py b/kobo/apps/openrosa/apps/logger/migrations/0029_populate_daily_xform_counters_for_year.py
index 920bc32709..e15b6ec373 100644
--- a/kobo/apps/openrosa/apps/logger/migrations/0029_populate_daily_xform_counters_for_year.py
+++ b/kobo/apps/openrosa/apps/logger/migrations/0029_populate_daily_xform_counters_for_year.py
@@ -1,31 +1,9 @@
-from django.conf import settings
-from django.core.management import call_command
 from django.db import migrations
 
-
-def populate_daily_counts_for_year(apps, schema_editor):
-    if settings.SKIP_HEAVY_MIGRATIONS:
-        print(
-            """
-            !!! ATTENTION !!!
-            If you have existing projects, you need to run this management command:
-
-               > python manage.py populate_submission_counters -f --skip-monthly
-
-            Until you do, total usage counts from the KPI endpoints
-            /api/v2/service_usage and /api/v2/asset_usage will be incorrect
-            """
-        )
-    else:
-        print(
-            """
-            This might take a while. If it is too slow, you may want to re-run the
-            migration with SKIP_HEAVY_MIGRATIONS=True and run the following management command:
-
-                > python manage.py populate_submission_counters -f --skip-monthly
-            """
-        )
-        call_command('populate_submission_counters', force=True, skip_monthly=True)
+# NOTE:
+# This migrations was moved to 0037 in order to avoid conflict with the new
+# field user_profile.submissions_suspended introduced on main migration 0017.
+# This migration is obsolete and will be deleted in a future version.
 
 
 class Migration(migrations.Migration):
@@ -38,8 +16,4 @@ class Migration(migrations.Migration):
     # We don't do anything when migrating in reverse
     # Just set DAILY_COUNTER_MAX_DAYS back to 31 and counters will be auto-deleted
     operations = [
-        migrations.RunPython(
-            populate_daily_counts_for_year,
-            migrations.RunPython.noop,
-        ),
     ]
diff --git a/kobo/apps/openrosa/apps/logger/migrations/0030_backfill_lost_monthly_counters.py b/kobo/apps/openrosa/apps/logger/migrations/0030_backfill_lost_monthly_counters.py
index f72c4c584e..0f72384a90 100644
--- a/kobo/apps/openrosa/apps/logger/migrations/0030_backfill_lost_monthly_counters.py
+++ b/kobo/apps/openrosa/apps/logger/migrations/0030_backfill_lost_monthly_counters.py
@@ -1,64 +1,4 @@
 from django.db import migrations
-from django.db.migrations.recorder import MigrationRecorder
-from django.db.models import DateField, F, Sum, Value
-from django.db.models.functions import Cast, Concat, ExtractMonth, ExtractYear
-from django.utils import timezone
-
-from kobo.apps.openrosa.apps.logger.utils.counters import (
-    delete_null_user_daily_counters,
-)
-
-
-def populate_missing_monthly_counters(apps, schema_editor):
-
-    DailyXFormSubmissionCounter = apps.get_model('logger', 'DailyXFormSubmissionCounter')  # noqa
-    MonthlyXFormSubmissionCounter = apps.get_model('logger', 'MonthlyXFormSubmissionCounter')  # noqa
-
-    if not DailyXFormSubmissionCounter.objects.all().exists():
-        return
-
-    previous_migration = MigrationRecorder.Migration.objects.filter(
-        app='logger', name='0029_populate_daily_xform_counters_for_year'
-    ).first()
-
-    # Delete monthly counters in the range if any (to avoid conflicts in bulk_create below)
-    MonthlyXFormSubmissionCounter.objects.annotate(
-        date=Cast(
-            Concat(
-                F('year'), Value('-'), F('month'), Value('-'), 1
-            ),
-            DateField(),
-        )
-    ).filter(date__gte=previous_migration.applied.date().replace(day=1)).delete()
-
-    records = (
-        DailyXFormSubmissionCounter.objects.filter(
-            date__range=[
-                previous_migration.applied.date().replace(day=1),
-                timezone.now().date()
-            ]
-        )
-        .annotate(year=ExtractYear('date'), month=ExtractMonth('date'))
-        .values('user_id', 'xform_id', 'month', 'year')
-        .annotate(total=Sum('counter'))
-    ).order_by('year', 'month', 'user_id')
-
-    # Do not use `ignore_conflicts=True` to ensure all counters are successfully
-    # create.
-    # TODO use `update_conflicts` with Django 4.2 and avoid `.delete()` above
-    MonthlyXFormSubmissionCounter.objects.bulk_create(
-        [
-            MonthlyXFormSubmissionCounter(
-                year=r['year'],
-                month=r['month'],
-                user_id=r['user_id'],
-                xform_id=r['xform_id'],
-                counter=r['total'],
-            )
-            for r in records
-        ],
-        batch_size=5000
-    )
 
 
 class Migration(migrations.Migration):
@@ -68,12 +8,4 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(
-            delete_null_user_daily_counters,
-            migrations.RunPython.noop,
-        ),
-        migrations.RunPython(
-            populate_missing_monthly_counters,
-            migrations.RunPython.noop,
-        ),
     ]
diff --git a/kobo/apps/openrosa/apps/logger/migrations/0031_remove_null_user_daily_counters.py b/kobo/apps/openrosa/apps/logger/migrations/0031_remove_null_user_daily_counters.py
index db961696b9..32eddecfe2 100644
--- a/kobo/apps/openrosa/apps/logger/migrations/0031_remove_null_user_daily_counters.py
+++ b/kobo/apps/openrosa/apps/logger/migrations/0031_remove_null_user_daily_counters.py
@@ -1,21 +1,11 @@
-from django.conf import settings
 from django.db import migrations
 
-from kobo.apps.openrosa.apps.logger.utils.counters import (
-    delete_null_user_daily_counters,
-)
-
 
 class Migration(migrations.Migration):
 
     dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
         ('logger', '0030_backfill_lost_monthly_counters'),
     ]
 
     operations = [
-        migrations.RunPython(
-            delete_null_user_daily_counters,
-            migrations.RunPython.noop,
-        ),
     ]
diff --git a/kobo/apps/openrosa/apps/logger/migrations/0032_alter_daily_submission_counter_user.py b/kobo/apps/openrosa/apps/logger/migrations/0032_alter_daily_submission_counter_user.py
index c70bb7f67d..06dfc802a3 100644
--- a/kobo/apps/openrosa/apps/logger/migrations/0032_alter_daily_submission_counter_user.py
+++ b/kobo/apps/openrosa/apps/logger/migrations/0032_alter_daily_submission_counter_user.py
@@ -6,7 +6,7 @@ class Migration(migrations.Migration):
 
     dependencies = [
         migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('logger', '0031_remove_null_user_daily_counters'),
+        ('logger', '0028_add_user_to_daily_submission_counters'),
     ]
 
     operations = [
diff --git a/kobo/apps/openrosa/apps/logger/migrations/0039_populate_counters.py b/kobo/apps/openrosa/apps/logger/migrations/0039_populate_counters.py
new file mode 100644
index 0000000000..24557bb053
--- /dev/null
+++ b/kobo/apps/openrosa/apps/logger/migrations/0039_populate_counters.py
@@ -0,0 +1,120 @@
+from django.conf import settings
+from django.core.management import call_command
+from django.db import migrations
+from django.db.migrations.recorder import MigrationRecorder
+from django.db.models import DateField, F, Sum, Value
+from django.db.models.functions import Cast, Concat, ExtractMonth, ExtractYear
+from django.utils import timezone
+
+from kobo.apps.openrosa.apps.logger.utils.counters import (
+    delete_null_user_daily_counters,
+)
+
+
+def populate_missing_monthly_counters(apps, schema_editor):
+
+    DailyXFormSubmissionCounter = apps.get_model(
+        'logger', 'DailyXFormSubmissionCounter'
+    )  # noqa
+    MonthlyXFormSubmissionCounter = apps.get_model(
+        'logger', 'MonthlyXFormSubmissionCounter'
+    )  # noqa
+
+    if not DailyXFormSubmissionCounter.objects.all().exists():
+        return
+
+    previous_migration = MigrationRecorder.Migration.objects.filter(
+        app='logger', name='0029_populate_daily_xform_counters_for_year'
+    ).first()
+
+    # Delete monthly counters in the range if any
+    # (to avoid conflicts in bulk_create below)
+    MonthlyXFormSubmissionCounter.objects.annotate(
+        date=Cast(
+            Concat(F('year'), Value('-'), F('month'), Value('-'), 1),
+            DateField(),
+        )
+    ).filter(date__gte=previous_migration.applied.date().replace(day=1)).delete()
+
+    records = (
+        DailyXFormSubmissionCounter.objects.filter(
+            date__range=[
+                previous_migration.applied.date().replace(day=1),
+                timezone.now().date(),
+            ]
+        )
+        .annotate(year=ExtractYear('date'), month=ExtractMonth('date'))
+        .values('user_id', 'xform_id', 'month', 'year')
+        .annotate(total=Sum('counter'))
+    ).order_by('year', 'month', 'user_id')
+
+    # Do not use `ignore_conflicts=True` to ensure all counters are successfully
+    # create.
+    # TODO use `update_conflicts` with Django 4.2 and avoid `.delete()` above
+    MonthlyXFormSubmissionCounter.objects.bulk_create(
+        [
+            MonthlyXFormSubmissionCounter(
+                year=r['year'],
+                month=r['month'],
+                user_id=r['user_id'],
+                xform_id=r['xform_id'],
+                counter=r['total'],
+            )
+            for r in records
+        ],
+        batch_size=5000,
+    )
+
+
+def populate_daily_counts_for_year(apps, schema_editor):
+    if settings.SKIP_HEAVY_MIGRATIONS:
+        print(
+            """
+            !!! ATTENTION !!!
+            If you have existing projects, you need to run this management command:
+
+               > python manage.py populate_submission_counters -f --skip-monthly
+
+            Until you do, total usage counts from the KPI endpoints
+            /api/v2/service_usage and /api/v2/asset_usage will be incorrect
+            """
+        )
+    else:
+        print(
+            """
+            This might take a while. If it is too slow, you may want to re-run the
+            migration with SKIP_HEAVY_MIGRATIONS=True and run the following management
+            command:
+
+                > python manage.py populate_submission_counters -f --skip-monthly
+            """
+        )
+        call_command('populate_submission_counters', force=True, skip_monthly=True)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('logger', '0038_add_mongo_uuid_field_to_xform'),
+        ('main', '0017_userprofile_submissions_suspended'),
+    ]
+
+    # We don't do anything when migrating in reverse
+    # Just set DAILY_COUNTER_MAX_DAYS back to 31 and counters will be auto-deleted
+    operations = [
+        migrations.RunPython(
+            populate_daily_counts_for_year,
+            migrations.RunPython.noop,
+        ),
+        migrations.RunPython(
+            delete_null_user_daily_counters,
+            migrations.RunPython.noop,
+        ),
+    ]
+
+    replaces = [
+        ('logger', '0029_populate_daily_xform_counters_for_year'),
+        ('logger', '0030_backfill_lost_monthly_counters'),
+        ('logger', '0031_remove_null_user_daily_counters'),
+    ]
diff --git a/kobo/apps/openrosa/apps/logger/models/instance.py b/kobo/apps/openrosa/apps/logger/models/instance.py
index 6a6737078a..d9819ceeee 100644
--- a/kobo/apps/openrosa/apps/logger/models/instance.py
+++ b/kobo/apps/openrosa/apps/logger/models/instance.py
@@ -1,11 +1,6 @@
 # coding: utf-8
 from hashlib import sha256
 
-try:
-    from zoneinfo import ZoneInfo
-except ImportError:
-    from backports.zoneinfo import ZoneInfo
-
 import reversion
 from django.apps import apps
 from django.contrib.gis.db import models
@@ -134,7 +129,7 @@ def check_active(self, force):
             'main', 'UserProfile'
         )  # noqa - Avoid circular imports
         profile, created = UserProfile.objects.get_or_create(user=self.xform.user)
-        if not created and profile.metadata.get('submissions_suspended', False):
+        if not created and profile.submissions_suspended:
             raise TemporarilyUnavailableError()
         return
 
diff --git a/kobo/apps/openrosa/apps/logger/models/xform.py b/kobo/apps/openrosa/apps/logger/models/xform.py
index c277cb8218..b52d6296b6 100644
--- a/kobo/apps/openrosa/apps/logger/models/xform.py
+++ b/kobo/apps/openrosa/apps/logger/models/xform.py
@@ -139,9 +139,9 @@ def asset(self):
                 )
             except Asset.DoesNotExist:
                 try:
-                    asset = Asset.objects.only(
-                        'pk', 'name', 'uid', 'owner_id'
-                    ).get(_deployment_data__formid=self.pk)
+                    asset = Asset.objects.only('pk', 'name', 'uid', 'owner_id').get(
+                        _deployment_data__formid=self.pk
+                    )
                 except Asset.DoesNotExist:
                     # An `Asset` object needs to be returned to avoid 500 while
                     # Enketo is fetching for project XML (e.g: /formList, /manifest)
@@ -288,11 +288,7 @@ def update(self, *args, **kwargs):
 
     def url(self):
         return reverse(
-            'download_xform',
-            kwargs={
-                'username': self.user.username,
-                'pk': self.pk
-            }
+            'download_xform', kwargs={'username': self.user.username, 'pk': self.pk}
         )
 
     @property
diff --git a/kobo/apps/openrosa/apps/main/migrations/0017_userprofile_submissions_suspended.py b/kobo/apps/openrosa/apps/main/migrations/0017_userprofile_submissions_suspended.py
new file mode 100644
index 0000000000..e24e43000f
--- /dev/null
+++ b/kobo/apps/openrosa/apps/main/migrations/0017_userprofile_submissions_suspended.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.15 on 2024-09-02 21:41
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0016_drop_old_restservice_tables'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='userprofile',
+            name='submissions_suspended',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/kobo/apps/openrosa/apps/main/models/user_profile.py b/kobo/apps/openrosa/apps/main/models/user_profile.py
index 934a1651fb..09508e8179 100644
--- a/kobo/apps/openrosa/apps/main/models/user_profile.py
+++ b/kobo/apps/openrosa/apps/main/models/user_profile.py
@@ -35,6 +35,7 @@ class UserProfile(models.Model):
     metadata = models.JSONField(default=dict, blank=True)
     is_mfa_active = LazyDefaultBooleanField(default=False)
     validated_password = models.BooleanField(default=True)
+    submissions_suspended = models.BooleanField(default=False)
 
     class Meta:
         app_label = 'main'
diff --git a/kobo/apps/openrosa/apps/main/urls.py b/kobo/apps/openrosa/apps/main/urls.py
index 225fe1f0f6..4a2a7985ff 100644
--- a/kobo/apps/openrosa/apps/main/urls.py
+++ b/kobo/apps/openrosa/apps/main/urls.py
@@ -1,128 +1,187 @@
 # coding: utf-8
 from django.conf import settings
-
 from django.urls import include, re_path
 from django.views.generic import RedirectView
 from django.views.i18n import JavaScriptCatalog
 
 from kobo.apps.openrosa import koboform
-from kobo.apps.openrosa.apps.api.urls import BriefcaseApi
-from kobo.apps.openrosa.apps.api.urls import XFormListApi
-from kobo.apps.openrosa.apps.api.urls import XFormSubmissionApi
-from kobo.apps.openrosa.apps.api.urls import router, router_with_patch_list
+from kobo.apps.openrosa.apps.api.urls import (
+    BriefcaseApi,
+    XFormListApi,
+    XFormSubmissionApi,
+    router,
+    router_with_patch_list,
+)
+from kobo.apps.openrosa.apps.logger.views import (
+    bulksubmission,
+    bulksubmission_form,
+    download_jsonform,
+    download_xlsform,
+)
 
 # exporting stuff
 from kobo.apps.openrosa.apps.viewer.views import (
     attachment_url,
     create_export,
     delete_export,
-    export_progress,
-    export_list,
     export_download,
+    export_list,
+    export_progress,
 )
-from kobo.apps.openrosa.apps.logger.views import (
-    bulksubmission,
-    bulksubmission_form,
-    download_xlsform,
-    download_jsonform,
-)
-
 
 urlpatterns = [
     # change Language
     re_path(r'^i18n/', include('django.conf.urls.i18n')),
     re_path('^api/v1/', include(router.urls)),
     re_path('^api/v1/', include(router_with_patch_list.urls)),
-
     # main website views
+    re_path(r'^$', RedirectView.as_view(url=koboform.redirect_url('/')), name='home'),
+    # Bring back old url because it's still used by `kpi`
+    re_path(r'^attachment/$', attachment_url, name='attachment_url'),
+    re_path(r'^attachment/(?P<size>[^/]+)$', attachment_url, name='attachment_url'),
     re_path(
-        r'^$', RedirectView.as_view(url=koboform.redirect_url('/')), name='home'
+        r'^{}$'.format(settings.MEDIA_URL.lstrip('/')),
+        attachment_url,
+        name='attachment_url',
     ),
-    # Bring back old url because it's still used by `kpi`
-    re_path(r"^attachment/$", attachment_url, name='attachment_url'),
-    re_path(r"^attachment/(?P<size>[^/]+)$",
-            attachment_url, name='attachment_url'),
-    re_path(r"^{}$".format(settings.MEDIA_URL.lstrip('/')), attachment_url, name='attachment_url'),
-    re_path(r"^{}(?P<size>[^/]+)$".format(settings.MEDIA_URL.lstrip('/')),
-            attachment_url, name='attachment_url'),
-    re_path(r'^jsi18n/$', JavaScriptCatalog.as_view(packages=['kobo.apps.openrosa.apps.main', 'kobo.apps.openrosa.apps.viewer']),
-            name='javascript-catalog'),
-    re_path(
-       r'^(?P<username>[^/]+)/$',
-       RedirectView.as_view(url=koboform.redirect_url('/')),
-       name='user_profile',
+    re_path(
+        r'^{}(?P<size>[^/]+)$'.format(settings.MEDIA_URL.lstrip('/')),
+        attachment_url,
+        name='attachment_url',
+    ),
+    re_path(
+        r'^jsi18n/$',
+        JavaScriptCatalog.as_view(
+            packages=['kobo.apps.openrosa.apps.main', 'kobo.apps.openrosa.apps.viewer']
+        ),
+        name='javascript-catalog',
+    ),
+    re_path(
+        r'^(?P<username>[^/]+)/$',
+        RedirectView.as_view(url=koboform.redirect_url('/')),
+        name='user_profile',
     ),
     # briefcase api urls
-    re_path(r"^view/submissionList$",
-            BriefcaseApi.as_view({'get': 'list', 'head': 'list'}),
-            name='view-submission-list'),
-    re_path(r"^view/downloadSubmission$",
-            BriefcaseApi.as_view({'get': 'retrieve', 'head': 'retrieve'}),
-            name='view-download-submission'),
-    re_path(r"^formUpload$",
-            BriefcaseApi.as_view({'post': 'create', 'head': 'create'}),
-            name='form-upload'),
-    re_path(r"^upload$",
-            BriefcaseApi.as_view({'post': 'create', 'head': 'create'}),
-            name='upload'),
-
+    re_path(
+        r'^view/submissionList$',
+        BriefcaseApi.as_view({'get': 'list', 'head': 'list'}),
+        name='view-submission-list',
+    ),
+    re_path(
+        r'^view/downloadSubmission$',
+        BriefcaseApi.as_view({'get': 'retrieve', 'head': 'retrieve'}),
+        name='view-download-submission',
+    ),
+    re_path(
+        r'^formUpload$',
+        BriefcaseApi.as_view({'post': 'create', 'head': 'create'}),
+        name='form-upload',
+    ),
+    re_path(
+        r'^upload$',
+        BriefcaseApi.as_view({'post': 'create', 'head': 'create'}),
+        name='upload',
+    ),
     # exporting stuff
-    re_path(r"^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)"
-            r"/new$", create_export, name='create_export'),
-    re_path(r"^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)"
-            r"/delete$", delete_export, name='delete_export'),
-    re_path(r"^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)"
-            r"/progress$", export_progress, name='export_progress'),
-    re_path(r"^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)"
-            r"/$", export_list, name='export_list'),
-    re_path(r"^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)"
-            "/(?P<filename>[^/]+)$",
-            export_download, name='export_download'),
-
+    re_path(
+        r'^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)'
+        r'/new$',
+        create_export,
+        name='create_export',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)'
+        r'/delete$',
+        delete_export,
+        name='delete_export',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)'
+        r'/progress$',
+        export_progress,
+        name='export_progress',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)' r'/$',
+        export_list,
+        name='export_list',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/exports/(?P<id_string>[^/]+)/(?P<export_type>\w+)'
+        '/(?P<filename>[^/]+)$',
+        export_download,
+        name='export_download',
+    ),
     # odk data urls
-    re_path(r"^submission$",
-            XFormSubmissionApi.as_view({'post': 'create', 'head': 'create'}),
-            name='submissions'),
-    re_path(r"^formList$",
-            XFormListApi.as_view({'get': 'list'}), name='form-list'),
-    re_path(r"^(?P<username>\w+)/formList$",
-            XFormListApi.as_view({'get': 'list'}), name='form-list'),
-    re_path(r"^(?P<username>\w+)/xformsManifest/(?P<pk>[\d+^/]+)$",
-            XFormListApi.as_view({'get': 'manifest'}),
-            name='manifest-url'),
-    re_path(r"^xformsManifest/(?P<pk>[\d+^/]+)$",
-            XFormListApi.as_view({'get': 'manifest'}),
-            name='manifest-url'),
-    re_path(r"^(?P<username>\w+)/xformsMedia/(?P<pk>[\d+^/]+)"
-            r"/(?P<metadata>[\d+^/.]+)$",
-            XFormListApi.as_view({'get': 'media'}), name='xform-media'),
-    re_path(r"^(?P<username>\w+)/xformsMedia/(?P<pk>[\d+^/]+)"
-            r"/(?P<metadata>[\d+^/.]+)\.(?P<format>[a-z0-9]+)$",
-            XFormListApi.as_view({'get': 'media'}), name='xform-media'),
-    re_path(r"^xformsMedia/(?P<pk>[\d+^/]+)/(?P<metadata>[\d+^/.]+)$",
-            XFormListApi.as_view({'get': 'media'}), name='xform-media'),
-    re_path(r"^xformsMedia/(?P<pk>[\d+^/]+)/(?P<metadata>[\d+^/.]+)\."
-            r"(?P<format>[a-z0-9]+)$",
-            XFormListApi.as_view({'get': 'media'}), name='xform-media'),
-    re_path(r"^(?P<username>\w+)/submission$",
-            XFormSubmissionApi.as_view({'post': 'create', 'head': 'create'}),
-            name='submissions'),
-    re_path(r"^(?P<username>\w+)/bulk-submission$",
-            bulksubmission),
-    re_path(r"^(?P<username>\w+)/bulk-submission-form$",
-            bulksubmission_form),
-    re_path(r'^forms/(?P<pk>[\d+^/]+)/form\.xml$',
-            XFormListApi.as_view({'get': 'retrieve'}),
-            name='download_xform'),
-    re_path(r'^(?P<username>\w+)/forms/(?P<pk>[\d+^/]+)/form\.xml$',
-            XFormListApi.as_view({'get': 'retrieve'}),
-            name='download_xform'),
-    re_path(r"^(?P<username>\w+)/forms/(?P<id_string>[^/]+)/form\.xls$",
-            download_xlsform,
-            name="download_xlsform"),
-    re_path(r"^(?P<username>\w+)/forms/(?P<id_string>[^/]+)/form\.json",
-            download_jsonform,
-            name="download_jsonform"),
-    re_path(r'^favicon\.ico',
-            RedirectView.as_view(url='/static/images/favicon.ico')),
+    re_path(
+        r'^submission$',
+        XFormSubmissionApi.as_view({'post': 'create', 'head': 'create'}),
+        name='submissions',
+    ),
+    re_path(r'^formList$', XFormListApi.as_view({'get': 'list'}), name='form-list'),
+    re_path(
+        r'^(?P<username>\w+)/formList$',
+        XFormListApi.as_view({'get': 'list'}),
+        name='form-list',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/xformsManifest/(?P<pk>[\d+^/]+)$',
+        XFormListApi.as_view({'get': 'manifest'}),
+        name='manifest-url',
+    ),
+    re_path(
+        r'^xformsManifest/(?P<pk>[\d+^/]+)$',
+        XFormListApi.as_view({'get': 'manifest'}),
+        name='manifest-url',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/xformsMedia/(?P<pk>[\d+^/]+)' r'/(?P<metadata>[\d+^/.]+)$',
+        XFormListApi.as_view({'get': 'media'}),
+        name='xform-media',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/xformsMedia/(?P<pk>[\d+^/]+)'
+        r'/(?P<metadata>[\d+^/.]+)\.(?P<format>[a-z0-9]+)$',
+        XFormListApi.as_view({'get': 'media'}),
+        name='xform-media',
+    ),
+    re_path(
+        r'^xformsMedia/(?P<pk>[\d+^/]+)/(?P<metadata>[\d+^/.]+)$',
+        XFormListApi.as_view({'get': 'media'}),
+        name='xform-media',
+    ),
+    re_path(
+        r'^xformsMedia/(?P<pk>[\d+^/]+)/(?P<metadata>[\d+^/.]+)\.'
+        r'(?P<format>[a-z0-9]+)$',
+        XFormListApi.as_view({'get': 'media'}),
+        name='xform-media',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/submission$',
+        XFormSubmissionApi.as_view({'post': 'create', 'head': 'create'}),
+        name='submissions',
+    ),
+    re_path(r'^(?P<username>\w+)/bulk-submission$', bulksubmission),
+    re_path(r'^(?P<username>\w+)/bulk-submission-form$', bulksubmission_form),
+    re_path(
+        r'^forms/(?P<pk>[\d+^/]+)/form\.xml$',
+        XFormListApi.as_view({'get': 'retrieve'}),
+        name='download_xform',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/forms/(?P<pk>[\d+^/]+)/form\.xml$',
+        XFormListApi.as_view({'get': 'retrieve'}),
+        name='download_xform',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/forms/(?P<id_string>[^/]+)/form\.xls$',
+        download_xlsform,
+        name='download_xlsform',
+    ),
+    re_path(
+        r'^(?P<username>\w+)/forms/(?P<id_string>[^/]+)/form\.json',
+        download_jsonform,
+        name='download_jsonform',
+    ),
+    re_path(r'^favicon\.ico', RedirectView.as_view(url='/static/images/favicon.ico')),
 ]
diff --git a/kobo/apps/openrosa/libs/filters.py b/kobo/apps/openrosa/libs/filters.py
index 61b178d057..aea410edba 100644
--- a/kobo/apps/openrosa/libs/filters.py
+++ b/kobo/apps/openrosa/libs/filters.py
@@ -58,8 +58,7 @@ def _get_objects_for_org_admin(self, request, queryset, view):
 
         # Only check for specific view and action
         if not (
-            view.action
-            in self.ORG_ADMIN_EXEMPT_VIEWS.get(view.__class__.__name__, {})
+            view.action in self.ORG_ADMIN_EXEMPT_VIEWS.get(view.__class__.__name__, {})
         ):
             return
 
diff --git a/kobo/apps/openrosa/libs/utils/logger_tools.py b/kobo/apps/openrosa/libs/utils/logger_tools.py
index 28436f749b..30d0ae0e41 100644
--- a/kobo/apps/openrosa/libs/utils/logger_tools.py
+++ b/kobo/apps/openrosa/libs/utils/logger_tools.py
@@ -80,9 +80,9 @@
 from kpi.deployment_backends.kc_access.storage import (
     default_kobocat_storage as default_storage,
 )
-from kpi.utils.object_permission import get_database_user
 from kpi.utils.hash import calculate_hash
 from kpi.utils.mongo_helper import MongoHelper
+from kpi.utils.object_permission import get_database_user
 
 OPEN_ROSA_VERSION_HEADER = 'X-OpenRosa-Version'
 HTTP_OPEN_ROSA_VERSION_HEADER = 'HTTP_X_OPENROSA_VERSION'
diff --git a/kobo/apps/organizations/admin/__init__.py b/kobo/apps/organizations/admin/__init__.py
index debd1e39d5..379b2ee543 100644
--- a/kobo/apps/organizations/admin/__init__.py
+++ b/kobo/apps/organizations/admin/__init__.py
@@ -1,7 +1,7 @@
 # flake8: noqa: F401
 from .organization import OrgAdmin
-from .organization_owner import OrgOwnerAdmin
 from .organization_invite import OrgInvitationAdmin
+from .organization_owner import OrgOwnerAdmin
 from .organization_user import OrgUserAdmin
 
 __all__ = ['OrgAdmin', 'OrgOwnerAdmin', 'OrgInvitationAdmin', 'OrgUserAdmin']
diff --git a/kobo/apps/organizations/admin/organization.py b/kobo/apps/organizations/admin/organization.py
index f538d3e628..bd0f64a856 100644
--- a/kobo/apps/organizations/admin/organization.py
+++ b/kobo/apps/organizations/admin/organization.py
@@ -4,14 +4,12 @@
 from organizations.base_admin import BaseOrganizationAdmin
 
 from kobo.apps.kobo_auth.shortcuts import User
-from .organization_owner import OwnerInline
-from .organization_user import OrgUserInline
-from ..models import (
-    Organization,
-    OrganizationUser,
-)
+
+from ..models import Organization, OrganizationUser
 from ..tasks import transfer_user_ownership_to_org
 from ..utils import revoke_org_asset_perms
+from .organization_owner import OwnerInline
+from .organization_user import OrgUserInline
 
 
 @admin.register(Organization)
@@ -62,8 +60,7 @@ def _get_new_members_queryset(
         )
 
         queryset = (
-            User.objects
-            .filter(
+            User.objects.filter(
                 organizations_organizationuser__organization_id=organization_id
             )
             .filter(id__in=users_in_multiple_orgs)
diff --git a/kobo/apps/organizations/admin/organization_invite.py b/kobo/apps/organizations/admin/organization_invite.py
index c63f521576..87751c72ba 100644
--- a/kobo/apps/organizations/admin/organization_invite.py
+++ b/kobo/apps/organizations/admin/organization_invite.py
@@ -1,4 +1,5 @@
 from django.contrib import admin
+
 from ..models import OrganizationInvitation
 
 
diff --git a/kobo/apps/organizations/admin/organization_user.py b/kobo/apps/organizations/admin/organization_user.py
index b11832478c..89d9f6b88b 100644
--- a/kobo/apps/organizations/admin/organization_user.py
+++ b/kobo/apps/organizations/admin/organization_user.py
@@ -10,6 +10,7 @@
 from organizations.base_admin import BaseOrganizationUserAdmin
 
 from kobo.apps.kobo_auth.shortcuts import User
+
 from ..forms import OrgUserAdminForm
 from ..models import OrganizationUser
 from ..tasks import transfer_user_ownership_to_org
@@ -128,9 +129,11 @@ def get_search_results(self, request, queryset, search_term):
             and app_label == 'organizations'
             and model_name == 'organizationowner'
         ):
-            queryset = queryset.annotate(
-                user_count=Count('organization__organization_users')
-            ).filter(user_count__lte=1).order_by('user__username')
+            queryset = (
+                queryset.annotate(user_count=Count('organization__organization_users'))
+                .filter(user_count__lte=1)
+                .order_by('user__username')
+            )
 
         return super().get_search_results(request, queryset, search_term)
 
diff --git a/kobo/apps/organizations/forms.py b/kobo/apps/organizations/forms.py
index bf45473c91..ace01968e6 100644
--- a/kobo/apps/organizations/forms.py
+++ b/kobo/apps/organizations/forms.py
@@ -1,5 +1,6 @@
 from django import forms
 from django.core.exceptions import ValidationError
+
 from .models import OrganizationUser
 
 
diff --git a/kobo/apps/organizations/migrations/0006_update_organization_name.py b/kobo/apps/organizations/migrations/0006_update_organization_name.py
index 6c1e3b8ee0..98fa7905e9 100644
--- a/kobo/apps/organizations/migrations/0006_update_organization_name.py
+++ b/kobo/apps/organizations/migrations/0006_update_organization_name.py
@@ -1,7 +1,7 @@
 # Generated by Django 4.2.15 on 2024-10-25 16:08
 
-from django.db import migrations
 from django.core.paginator import Paginator
+from django.db import migrations
 
 
 def update_organization_names(apps, schema_editor):
diff --git a/kobo/apps/organizations/models.py b/kobo/apps/organizations/models.py
index 9aac437b01..a51d2662af 100644
--- a/kobo/apps/organizations/models.py
+++ b/kobo/apps/organizations/models.py
@@ -1,4 +1,6 @@
+from functools import partial
 from typing import Literal
+
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import models
@@ -6,8 +8,11 @@
 from django_request_cache import cache_for_request
 
 if settings.STRIPE_ENABLED:
-   from djstripe.models import Customer, Subscription
-from functools import partial
+    from djstripe.models import Customer, Subscription
+
+    from kobo.apps.stripe.constants import (
+        ACTIVE_STRIPE_STATUSES,
+    )
 
 from organizations.abstract import (
     AbstractOrganization,
@@ -17,8 +22,8 @@
 )
 from organizations.utils import create_organization as create_organization_base
 
-from kobo.apps.stripe.constants import ACTIVE_STRIPE_STATUSES
 from kpi.fields import KpiUidField
+
 from .constants import (
     ORG_ADMIN_ROLE,
     ORG_EXTERNAL_ROLE,
@@ -27,7 +32,6 @@
 )
 from .exceptions import NotMultiMemberOrganizationException
 
-
 OrganizationRole = Literal[
     ORG_ADMIN_ROLE, ORG_EXTERNAL_ROLE, ORG_MEMBER_ROLE, ORG_OWNER_ROLE
 ]
@@ -49,25 +53,45 @@ def add_user(self, user, is_admin=False):
     @cache_for_request
     def active_subscription_billing_details(self):
         """
-        Retrieve the billing dates and interval for the organization's newest active subscription
+        Retrieve the billing dates, interval, and product/price metadata for the
+        organization's newest subscription
         Returns None if Stripe is not enabled
-        The status types that are considered 'active' are determined by ACTIVE_STRIPE_STATUSES
+        The status types that are considered 'active' are determined by
+        ACTIVE_STRIPE_STATUSES
         """
         # Only check for subscriptions if Stripe is enabled
-        if settings.STRIPE_ENABLED:
-            return Organization.objects.prefetch_related('djstripe_customers').filter(
-                    djstripe_customers__subscriptions__status__in=ACTIVE_STRIPE_STATUSES,
-                    djstripe_customers__subscriber=self.id,
-                ).order_by(
-                    '-djstripe_customers__subscriptions__start_date'
-                ).values(
-                    billing_cycle_anchor=F('djstripe_customers__subscriptions__billing_cycle_anchor'),
-                    current_period_start=F('djstripe_customers__subscriptions__current_period_start'),
-                    current_period_end=F('djstripe_customers__subscriptions__current_period_end'),
-                    recurring_interval=F('djstripe_customers__subscriptions__items__price__recurring__interval'),
-                ).first()
-
-        return None
+        if not settings.STRIPE_ENABLED:
+            return None
+
+        return (
+            Organization.objects.prefetch_related('djstripe_customers')
+            .filter(
+                djstripe_customers__subscriptions__status__in=ACTIVE_STRIPE_STATUSES,
+                djstripe_customers__subscriber=self.id,
+            )
+            .order_by('-djstripe_customers__subscriptions__start_date')
+            .values(
+                billing_cycle_anchor=F(
+                    'djstripe_customers__subscriptions__billing_cycle_anchor'
+                ),
+                current_period_start=F(
+                    'djstripe_customers__subscriptions__current_period_start'
+                ),
+                current_period_end=F(
+                    'djstripe_customers__subscriptions__current_period_end'
+                ),
+                recurring_interval=F(
+                    'djstripe_customers__subscriptions__items__price__recurring__interval'  # noqa: E501
+                ),
+                product_metadata=F(
+                    'djstripe_customers__subscriptions__items__price__product__metadata'
+                ),
+                price_metadata=F(
+                    'djstripe_customers__subscriptions__items__price__metadata'
+                ),
+            )
+            .first()
+        )
 
     @cache_for_request
     def canceled_subscription_billing_cycle_anchor(self):
@@ -76,19 +100,39 @@ def canceled_subscription_billing_cycle_anchor(self):
         """
         # Only check for subscriptions if Stripe is enabled
         if settings.STRIPE_ENABLED:
-            qs = Organization.objects.prefetch_related('djstripe_customers').filter(
+            qs = (
+                Organization.objects.prefetch_related('djstripe_customers')
+                .filter(
                     djstripe_customers__subscriptions__status='canceled',
                     djstripe_customers__subscriber=self.id,
-                ).order_by(
-                    '-djstripe_customers__subscriptions__ended_at'
-                ).values(
+                )
+                .order_by('-djstripe_customers__subscriptions__ended_at')
+                .values(
                     anchor=F('djstripe_customers__subscriptions__ended_at'),
-                ).first()
+                )
+                .first()
+            )
             if qs:
                 return qs['anchor']
 
         return None
 
+    @classmethod
+    def get_from_user_id(cls, user_id: int):
+        """
+        Get organization that this user is a member of.
+        """
+        # TODO: validate this is the correct way to get a user's organization
+        org = (
+            cls.objects.filter(
+                organization_users__user__id=user_id,
+            )
+            .order_by('-organization_users__created')
+            .first()
+        )
+
+        return org
+
     @property
     def email(self):
         """
@@ -177,7 +221,8 @@ def active_subscription_statuses(self):
         try:
             customer = Customer.objects.get(subscriber=self.organization.id)
             subscriptions = Subscription.objects.filter(
-                customer=customer, status="active"
+                customer=customer,
+                status__in=ACTIVE_STRIPE_STATUSES,
             )
 
             unique_plans = set()
diff --git a/kobo/apps/organizations/permissions.py b/kobo/apps/organizations/permissions.py
index 7564a57eda..30d8988331 100644
--- a/kobo/apps/organizations/permissions.py
+++ b/kobo/apps/organizations/permissions.py
@@ -6,13 +6,12 @@
 from kpi.utils.object_permission import get_database_user
 
 
-class IsOrgAdmin(
-    ValidationPasswordPermissionMixin, permissions.BasePermission
-):
+class IsOrgAdmin(ValidationPasswordPermissionMixin, permissions.BasePermission):
     """
     Object-level permission to only allow admin members of an object to access it.
     Assumes the model instance has an `is_admin` attribute.
     """
+
     def has_permission(self, request, view):
         self.validate_password(request)
         return super().has_permission(request=request, view=view)
diff --git a/kobo/apps/organizations/serializers.py b/kobo/apps/organizations/serializers.py
index 2c0e0fdcd1..031545f220 100644
--- a/kobo/apps/organizations/serializers.py
+++ b/kobo/apps/organizations/serializers.py
@@ -1,12 +1,13 @@
 from rest_framework import serializers
 
 from kobo.apps.organizations.models import (
-    create_organization,
     Organization,
     OrganizationOwner,
     OrganizationUser,
+    create_organization,
 )
 from kpi.utils.object_permission import get_database_user
+
 from .constants import ORG_EXTERNAL_ROLE
 
 
diff --git a/kobo/apps/organizations/tasks.py b/kobo/apps/organizations/tasks.py
index c3effa3b33..40d19df1a7 100644
--- a/kobo/apps/organizations/tasks.py
+++ b/kobo/apps/organizations/tasks.py
@@ -2,8 +2,8 @@
 from more_itertools import chunked
 
 from kobo.apps.kobo_auth.shortcuts import User
-from kobo.celery import celery_app
 from kobo.apps.project_ownership.utils import create_invite
+from kobo.celery import celery_app
 
 
 @celery_app.task(
diff --git a/kobo/apps/organizations/tests/test_organizations.py b/kobo/apps/organizations/tests/test_organizations.py
index 24d4a6acae..6eaf9e2fe5 100644
--- a/kobo/apps/organizations/tests/test_organizations.py
+++ b/kobo/apps/organizations/tests/test_organizations.py
@@ -1,13 +1,13 @@
 from django.test import TestCase
 
 from kobo.apps.kobo_auth.shortcuts import User
-from kobo.apps.organizations.models import Organization
 from kobo.apps.organizations.constants import (
     ORG_ADMIN_ROLE,
     ORG_EXTERNAL_ROLE,
     ORG_MEMBER_ROLE,
     ORG_OWNER_ROLE,
 )
+from kobo.apps.organizations.models import Organization
 
 
 class OrganizationTestCase(TestCase):
diff --git a/kobo/apps/organizations/tests/test_organizations_api.py b/kobo/apps/organizations/tests/test_organizations_api.py
index 02665895ea..c97ebef66e 100644
--- a/kobo/apps/organizations/tests/test_organizations_api.py
+++ b/kobo/apps/organizations/tests/test_organizations_api.py
@@ -1,26 +1,25 @@
+from datetime import timedelta
 from unittest.mock import patch
 
 import responses
+from ddt import data, ddt, unpack
 from django.contrib.auth.models import Permission
 from django.urls import reverse
-from ddt import ddt, data, unpack
+from django.utils import timezone
+from django.utils.http import parse_http_date
 from model_bakery import baker
 from rest_framework import status
 
-from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.hook.utils.tests.mixins import HookTestCaseMixin
+from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.organizations.models import Organization
-from kpi.constants import (
-    PERM_ADD_SUBMISSIONS,
-    PERM_MANAGE_ASSET,
-    PERM_VIEW_ASSET,
-)
+from kpi.constants import PERM_ADD_SUBMISSIONS, PERM_MANAGE_ASSET, PERM_VIEW_ASSET
 from kpi.models.asset import Asset
-from kpi.tests.base_test_case import BaseTestCase, BaseAssetTestCase
+from kpi.tests.base_test_case import BaseAssetTestCase, BaseTestCase
 from kpi.tests.utils.mixins import (
     AssetFileTestCaseMixin,
-    SubmissionEditTestCaseMixin,
     SubmissionDeleteTestCaseMixin,
+    SubmissionEditTestCaseMixin,
     SubmissionValidationStatusTestCaseMixin,
     SubmissionViewTestCaseMixin,
 )
@@ -90,6 +89,20 @@ def test_update(self):
         res = self.client.patch(self.url_detail, data)
         self.assertEqual(res.status_code, 403)
 
+    @patch('kpi.utils.usage_calculator.CachedClass._cache_last_updated')
+    def test_service_usage_date_header(self, mock_cache_last_updated):
+        self._insert_data()
+        url_service_usage = reverse(
+            self._get_endpoint('organizations-service-usage'),
+            kwargs={'id': self.organization.id},
+        )
+        now = timezone.now()
+        mock_cache_last_updated.return_value = now - timedelta(seconds=3)
+        self.client.get(url_service_usage)
+        response = self.client.get(url_service_usage)
+        last_updated_timestamp = parse_http_date(response.headers['Date'])
+        assert (now.timestamp() - last_updated_timestamp) > 3
+
     def test_api_response_includes_is_mmo_with_mmo_override(self):
         """
         Test that is_mmo is True when mmo_override is enabled and there is no
@@ -249,7 +262,7 @@ def _create_asset_by_bob(self):
                         'label': 'How many pages?',
                     }
                 ],
-            }
+            },
         )
         assert response.status_code == status.HTTP_201_CREATED
         assert response.data['owner__username'] == self.bob.username
@@ -460,9 +473,7 @@ def test_can_update_asset(
         assert_detail_url = reverse(
             self._get_endpoint('asset-detail'), kwargs={'uid': asset_uid}
         )
-        data = {
-            'name': 'Week-end breakfast'
-        }
+        data = {'name': 'Week-end breakfast'}
 
         self.client.force_login(user)
         response = self.client.patch(assert_detail_url, data)
@@ -496,7 +507,7 @@ def test_can_delete_asset(
             self._get_endpoint('asset-detail'),
             # Use JSON format to prevent HtmlRenderer from returning a 200 status
             # instead of 204.
-            kwargs={'uid': asset_uid, 'format': 'json'}
+            kwargs={'uid': asset_uid, 'format': 'json'},
         )
 
         self.client.force_login(user)
@@ -593,7 +604,7 @@ class OrganizationAdminsDataApiTestCase(
     SubmissionEditTestCaseMixin,
     SubmissionDeleteTestCaseMixin,
     SubmissionViewTestCaseMixin,
-    BaseOrganizationAdminsDataApiTestCase
+    BaseOrganizationAdminsDataApiTestCase,
 ):
     """
     This test suite shares logic with `SubmissionEditApiTests`,
@@ -712,19 +723,23 @@ def test_can_add_rest_services(self):
 
     def test_can_list_rest_services(self):
         hook = self._create_hook()
-        list_url = reverse(self._get_endpoint('hook-list'), kwargs={
-            'parent_lookup_asset': self.asset.uid
-        })
+        list_url = reverse(
+            self._get_endpoint('hook-list'),
+            kwargs={'parent_lookup_asset': self.asset.uid},
+        )
 
         response = self.client.get(list_url)
         assert response.status_code == status.HTTP_200_OK
         assert response.data['count'] == 1
         assert response.data['results'][0]['uid'] == hook.uid
 
-        detail_url = reverse('hook-detail', kwargs={
-            'parent_lookup_asset': self.asset.uid,
-            'uid': hook.uid,
-        })
+        detail_url = reverse(
+            'hook-detail',
+            kwargs={
+                'parent_lookup_asset': self.asset.uid,
+                'uid': hook.uid,
+            },
+        )
 
         response = self.client.get(detail_url)
         assert response.status_code == status.HTTP_200_OK
diff --git a/kobo/apps/organizations/tests/test_organizations_model.py b/kobo/apps/organizations/tests/test_organizations_model.py
new file mode 100644
index 0000000000..c29d6f2414
--- /dev/null
+++ b/kobo/apps/organizations/tests/test_organizations_model.py
@@ -0,0 +1,22 @@
+from model_bakery import baker
+
+from kobo.apps.kobo_auth.shortcuts import User
+from kobo.apps.organizations.models import Organization
+from kpi.tests.kpi_test_case import BaseTestCase
+
+
+class OrganizationsModelTestCase(BaseTestCase):
+    fixtures = ['test_data']
+
+    def setUp(self):
+        self.user = User.objects.get(username='someuser')
+        self.anotheruser = User.objects.get(username='anotheruser')
+        self.organization = baker.make(Organization, id='org_abcd1234')
+        self.organization.add_user(user=self.user, is_admin=True)
+
+    def test_get_from_user_id(self):
+        org = Organization.get_from_user_id(self.user.pk)
+        assert org.pk == self.organization.pk
+
+        org = Organization.get_from_user_id(self.anotheruser.pk)
+        assert org.pk != self.organization.pk
diff --git a/kobo/apps/organizations/types.py b/kobo/apps/organizations/types.py
new file mode 100644
index 0000000000..e9570c319d
--- /dev/null
+++ b/kobo/apps/organizations/types.py
@@ -0,0 +1,3 @@
+from typing import Literal
+
+UsageType = Literal['characters', 'seconds', 'submission', 'storage']
diff --git a/kobo/apps/organizations/utils.py b/kobo/apps/organizations/utils.py
index 4b5cc18503..8fbf12bb76 100644
--- a/kobo/apps/organizations/utils.py
+++ b/kobo/apps/organizations/utils.py
@@ -1,16 +1,16 @@
 from datetime import datetime
 from typing import Union
-from zoneinfo import ZoneInfo
 
 from dateutil.relativedelta import relativedelta
+from django.apps import apps
 from django.utils import timezone
+from zoneinfo import ZoneInfo
 
 from kobo.apps.organizations.models import Organization
-from kpi.models.asset import Asset
 from kpi.models.object_permission import ObjectPermission
 
 
-def get_monthly_billing_dates(organization: Union[Organization, None]):
+def get_monthly_billing_dates(organization: Union['Organization', None]):
     """Returns start and end dates of an organization's monthly billing cycle"""
 
     now = timezone.now().replace(tzinfo=ZoneInfo('UTC'))
@@ -69,7 +69,7 @@ def get_monthly_billing_dates(organization: Union[Organization, None]):
     return period_start, period_end
 
 
-def get_yearly_billing_dates(organization: Union[Organization, None]):
+def get_yearly_billing_dates(organization: Union['Organization', None]):
     """Returns start and end dates of an organization's annual billing cycle"""
     now = timezone.now().replace(tzinfo=ZoneInfo('UTC'))
     first_of_this_year = datetime(now.year, 1, 1, tzinfo=ZoneInfo('UTC'))
@@ -105,9 +105,10 @@ def revoke_org_asset_perms(organization: Organization, user_ids: list[int]):
     Revokes permissions assigned to removed members on all assets belonging to
     the organization.
     """
+    Asset = apps.get_model('trackers', 'NLPUsageCounter')  # noqa
     subquery = Asset.objects.values_list('pk', flat=True).filter(
         owner=organization.owner_user_object
     )
     ObjectPermission.objects.filter(
-         asset_id__in=subquery, user_id__in=user_ids
+        asset_id__in=subquery, user_id__in=user_ids
     ).delete()
diff --git a/kobo/apps/organizations/views.py b/kobo/apps/organizations/views.py
index af959e6cc0..9be7689a27 100644
--- a/kobo/apps/organizations/views.py
+++ b/kobo/apps/organizations/views.py
@@ -2,14 +2,15 @@
 from django.contrib.postgres.aggregates import ArrayAgg
 from django.db.models import QuerySet
 from django.utils.decorators import method_decorator
+from django.utils.http import http_date
 from django.views.decorators.cache import cache_page
 from django_dont_vary_on.decorators import only_vary_on
-from kpi import filters
-from rest_framework import viewsets, status
+from rest_framework import status, viewsets
 from rest_framework.decorators import action
-from rest_framework.response import Response
 from rest_framework.request import Request
+from rest_framework.response import Response
 
+from kpi import filters
 from kpi.constants import ASSET_TYPE_SURVEY
 from kpi.filters import AssetOrderingFilter, SearchFilter
 from kpi.models.asset import Asset
@@ -21,10 +22,11 @@
 )
 from kpi.utils.object_permission import get_database_user
 from kpi.views.v2.asset import AssetViewSet
+
+from ..stripe.constants import ACTIVE_STRIPE_STATUSES
 from .models import Organization
 from .permissions import IsOrgAdmin, IsOrgAdminOrReadOnly
 from .serializers import OrganizationSerializer
-from ..stripe.constants import ACTIVE_STRIPE_STATUSES
 
 
 class OrganizationAssetViewSet(AssetViewSet):
@@ -80,11 +82,7 @@ class OrganizationViewSet(viewsets.ModelViewSet):
     permission_classes = (IsAuthenticated, IsOrgAdminOrReadOnly)
     pagination_class = AssetUsagePagination
 
-    @action(
-        detail=True,
-        methods=['GET'],
-        permission_classes=[IsOrgAdmin]
-    )
+    @action(detail=True, methods=['GET'], permission_classes=[IsOrgAdmin])
     def assets(self, request: Request, *args, **kwargs):
         """
         ### Retrieve Organization Assets
@@ -145,6 +143,7 @@ def service_usage(self, request, pk=None, *args, **kwargs):
         >           "current_month_start": {string (date), ISO format},
         >           "current_year_start": {string (date), ISO format},
         >           "billing_period_end": {string (date), ISO format}|{None},
+        >           "last_updated": {string (date), ISO format},
         >       }
         ### CURRENT ENDPOINT
         """
@@ -158,7 +157,14 @@ def service_usage(self, request, pk=None, *args, **kwargs):
             get_database_user(request.user),
             context=context,
         )
-        return Response(data=serializer.data)
+        response = Response(
+            data=serializer.data,
+            headers={
+                'Date': http_date(serializer.calculator.get_last_updated().timestamp())
+            },
+        )
+
+        return response
 
     @action(detail=True, methods=['get'])
     def asset_usage(self, request, pk=None, *args, **kwargs):
@@ -210,7 +216,7 @@ def asset_usage(self, request, pk=None, *args, **kwargs):
             )[0]
         except IndexError:
             return Response(
-                {'error': "There was a problem finding the organization."},
+                {'error': 'There was a problem finding the organization.'},
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
diff --git a/kobo/apps/project_ownership/models/invite.py b/kobo/apps/project_ownership/models/invite.py
index fdf0a91a4a..2af6a2cf7a 100644
--- a/kobo/apps/project_ownership/models/invite.py
+++ b/kobo/apps/project_ownership/models/invite.py
@@ -8,6 +8,7 @@
 from kpi.fields import KpiUidField
 from kpi.models.abstract_models import AbstractTimeStampedModel
 from kpi.utils.mailer import EmailMessage, Mailer
+
 from .choices import InviteStatusChoices
 
 
@@ -96,7 +97,7 @@ def send_acceptance_email(self):
             plain_text_content_or_template='emails/accepted_invite.txt',
             template_variables=template_variables,
             html_content_or_template='emails/accepted_invite.html',
-            language=self.recipient.extra_details.data.get('last_ui_language')
+            language=self.recipient.extra_details.data.get('last_ui_language'),
         )
 
         Mailer.send(email_message)
@@ -127,7 +128,7 @@ def send_invite_email(self):
             plain_text_content_or_template='emails/new_invite.txt',
             template_variables=template_variables,
             html_content_or_template='emails/new_invite.html',
-            language=self.recipient.extra_details.data.get('last_ui_language')
+            language=self.recipient.extra_details.data.get('last_ui_language'),
         )
 
         Mailer.send(email_message)
@@ -153,7 +154,7 @@ def send_refusal_email(self):
             plain_text_content_or_template='emails/declined_invite.txt',
             template_variables=template_variables,
             html_content_or_template='emails/declined_invite.html',
-            language=self.recipient.extra_details.data.get('last_ui_language')
+            language=self.recipient.extra_details.data.get('last_ui_language'),
         )
 
         Mailer.send(email_message)
@@ -165,11 +166,7 @@ def create(self, **kwargs):
         return super().create(invite_type=InviteType.ORG_MEMBERSHIP, **kwargs)
 
     def get_queryset(self):
-        return (
-            super()
-            .get_queryset()
-            .filter(invite_type=InviteType.ORG_MEMBERSHIP)
-        )
+        return super().get_queryset().filter(invite_type=InviteType.ORG_MEMBERSHIP)
 
 
 class OrgMembershipAutoInvite(Invite):
diff --git a/kobo/apps/project_ownership/models/transfer.py b/kobo/apps/project_ownership/models/transfer.py
index 4ab95dfa95..664d64108c 100644
--- a/kobo/apps/project_ownership/models/transfer.py
+++ b/kobo/apps/project_ownership/models/transfer.py
@@ -19,6 +19,7 @@
 from kpi.fields import KpiUidField
 from kpi.models import Asset, ObjectPermission
 from kpi.models.abstract_models import AbstractTimeStampedModel
+
 from ..exceptions import TransferAlreadyProcessedException
 from ..tasks import async_task, send_email_to_admins
 from ..utils import get_target_folder
@@ -288,8 +289,8 @@ def _update_invite_status(self):
         This method must be called within a transaction because of the lock
         acquired the object row (with `select_for_update`)
         """
-        invite = self.get_invite_model().objects.select_for_update().get(
-            pk=self.invite_id
+        invite = (
+            self.get_invite_model().objects.select_for_update().get(pk=self.invite_id)
         )
         previous_status = invite.status
         is_complete = True
diff --git a/kobo/apps/project_ownership/serializers/invite.py b/kobo/apps/project_ownership/serializers/invite.py
index 769f964250..035b9ecd28 100644
--- a/kobo/apps/project_ownership/serializers/invite.py
+++ b/kobo/apps/project_ownership/serializers/invite.py
@@ -8,7 +8,7 @@
 
 from kpi.fields import RelativePrefixHyperlinkedRelatedField
 from kpi.models import Asset
-from .transfer import TransferListSerializer
+
 from ..models import (
     Invite,
     InviteStatusChoices,
@@ -17,6 +17,7 @@
     TransferStatusTypeChoices,
 )
 from ..utils import create_invite, update_invite
+from .transfer import TransferListSerializer
 
 
 class InviteSerializer(serializers.ModelSerializer):
diff --git a/kobo/apps/project_ownership/tests/api/v2/test_api.py b/kobo/apps/project_ownership/tests/api/v2/test_api.py
index f0d77721dc..7abafd1a42 100644
--- a/kobo/apps/project_ownership/tests/api/v2/test_api.py
+++ b/kobo/apps/project_ownership/tests/api/v2/test_api.py
@@ -4,6 +4,7 @@
 from constance.test import override_config
 from django.conf import settings
 from django.contrib.auth import get_user_model
+from django.test import override_settings
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.reverse import reverse
@@ -358,6 +359,9 @@ def __add_submissions(self):
         'kobo.apps.project_ownership.tasks.move_media_files',
         MagicMock()
     )
+    @override_settings(
+        CACHES={'default': {'BACKEND': 'django.core.cache.backends.dummy.DummyCache'}}
+    )
     @override_config(PROJECT_OWNERSHIP_AUTO_ACCEPT_INVITES=True)
     def test_account_usage_transferred_to_new_user(self):
         today = timezone.now()
diff --git a/kobo/apps/project_ownership/utils.py b/kobo/apps/project_ownership/utils.py
index dd4f1bcd7d..9423f058a6 100644
--- a/kobo/apps/project_ownership/utils.py
+++ b/kobo/apps/project_ownership/utils.py
@@ -2,17 +2,17 @@
 import time
 from typing import Literal, Optional, Union
 
-from django.db import transaction
 from django.apps import apps
+from django.db import transaction
 from django.utils import timezone
 
-
-from kobo.apps.openrosa.apps.main.models import MetaData
 from kobo.apps.openrosa.apps.logger.models.attachment import Attachment
+from kobo.apps.openrosa.apps.main.models import MetaData
 from kobo.apps.project_ownership.models import InviteStatusChoices
 from kpi.models.asset import Asset, AssetFile
-from .exceptions import AsyncTaskException
+
 from .constants import ASYNC_TASK_HEARTBEAT, FILE_MOVE_CHUNK_SIZE
+from .exceptions import AsyncTaskException
 from .models.choices import TransferStatusChoices, TransferStatusTypeChoices
 
 
@@ -28,15 +28,9 @@ def create_invite(
     TransferStatus = apps.get_model('project_ownership', 'TransferStatus')
 
     with transaction.atomic():
-        invite = InviteModel.objects.create(
-            sender=sender,
-            recipient=recipient
-        )
+        invite = InviteModel.objects.create(sender=sender, recipient=recipient)
         transfers = Transfer.objects.bulk_create(
-            [
-                Transfer(invite=invite, asset=asset)
-                for asset in assets
-            ]
+            [Transfer(invite=invite, asset=asset) for asset in assets]
         )
         statuses = []
         for transfer in transfers:
@@ -244,9 +238,7 @@ def update_invite(
 
     for transfer in invite.transfers.all():
         if invite.status != InviteStatusChoices.IN_PROGRESS:
-            transfer.statuses.update(
-                status=TransferStatusChoices.CANCELLED
-            )
+            transfer.statuses.update(status=TransferStatusChoices.CANCELLED)
         else:
             transfer.transfer_project()
 
diff --git a/kobo/apps/stripe/admin.py b/kobo/apps/stripe/admin.py
new file mode 100644
index 0000000000..b00096b966
--- /dev/null
+++ b/kobo/apps/stripe/admin.py
@@ -0,0 +1,59 @@
+from django.contrib import admin, messages
+from django.contrib.admin import ModelAdmin
+from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
+from django.utils.translation import ngettext
+
+from kobo.apps.stripe.models import PlanAddOn
+
+
+@admin.register(PlanAddOn)
+class PlanAddOnAdmin(ModelAdmin):
+    list_display = (
+        'organization',
+        'product',
+        'quantity',
+        'is_available',
+        'created',
+    )
+    list_filter = (
+        'charge__livemode',
+        'created',
+        'product',
+        'organization',
+    )
+    search_fields = ('organization__id', 'id', 'organization__name', 'product__id')
+    readonly_fields = ('valid_tags',)
+    actions = ('_delete', 'make_add_ons')
+    universal_actions = ['make_add_ons']
+    change_list_template = 'admin/add-ons/change_list.html'
+
+    @admin.action(description='Make add-ons for existing Charges')
+    def make_add_ons(self, request, queryset):
+        created = PlanAddOn.make_add_ons_from_existing_charges()
+        self.message_user(
+            request,
+            ngettext(
+                '%d plan add-on was created.',
+                '%d plan add-ons were created.',
+                created,
+            )
+            % created,
+            messages.SUCCESS,
+        )
+
+    def changelist_view(self, request, extra_context=None):
+        if (
+            'action' in request.POST
+            and request.POST['action'] in self.universal_actions
+        ):
+            if not request.POST.getlist(ACTION_CHECKBOX_NAME):
+                post = request.POST.copy()
+                post.update({ACTION_CHECKBOX_NAME: str(1)})
+                request._set_post(post)
+        return super(PlanAddOnAdmin, self).changelist_view(request, extra_context)
+
+    def get_queryset(self, request):
+        return super().get_queryset(request).prefetch_related('organization', 'product')
+
+    def valid_tags(self, obj):
+        return obj.product.metadata.get('valid_tags', '')
diff --git a/kobo/apps/stripe/constants.py b/kobo/apps/stripe/constants.py
index b79dca0795..82e9926dfb 100644
--- a/kobo/apps/stripe/constants.py
+++ b/kobo/apps/stripe/constants.py
@@ -1,4 +1,6 @@
 # coding: utf-8
+from datetime import timedelta
+
 ACTIVE_STRIPE_STATUSES = [
     'active',
     'past_due',
@@ -16,3 +18,12 @@
     'name': None,
     'feature_list': [],
 }
+
+ORGANIZATION_USAGE_MAX_CACHE_AGE = timedelta(minutes=15)
+
+USAGE_LIMIT_MAP = {
+    'characters': 'mt_characters',
+    'seconds': 'asr_seconds',
+    'storage': 'storage_bytes',
+    'submission': 'submission',
+}
diff --git a/kobo/apps/stripe/migrations/0001_initial.py b/kobo/apps/stripe/migrations/0001_initial.py
new file mode 100644
index 0000000000..0146f59cf6
--- /dev/null
+++ b/kobo/apps/stripe/migrations/0001_initial.py
@@ -0,0 +1,102 @@
+# Generated by Django 3.2.15 on 2023-11-10 14:56
+
+import django.core.validators
+import django.db.models.deletion
+from django.db import migrations, models
+
+import kobo.apps.stripe.utils
+import kpi.fields.kpi_uid
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('djstripe', '0011_2_7'),
+        ('organizations', '0001_squashed_0004_remove_organization_uid'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PlanAddOn',
+            fields=[
+                (
+                    'id',
+                    kpi.fields.kpi_uid.KpiUidField(
+                        _null=False, primary_key=True, uid_prefix='addon_'
+                    ),
+                ),
+                (
+                    'created',
+                    models.DateTimeField(
+                        help_text='The time when the add-on purchased.'
+                    ),
+                ),
+                (
+                    'quantity',
+                    models.PositiveIntegerField(
+                        default=1,
+                        validators=[django.core.validators.MinValueValidator(1)],
+                    ),
+                ),
+                (
+                    'usage_limits',
+                    models.JSONField(
+                        default=kobo.apps.stripe.utils.get_default_add_on_limits,
+                        help_text='The historical usage limits when the add-on was '
+                        'purchased.\n        Multiply this value by `quantity` to get '
+                        'the total limits for this add-on. Possible keys:\n'
+                        '"submission_limit", "asr_seconds_limit", and/or'
+                        '"mt_characters_limit"',
+                    ),
+                ),
+                (
+                    'limits_remaining',
+                    models.JSONField(
+                        default=kobo.apps.stripe.utils.get_default_add_on_limits,
+                        help_text="The amount of each of the add-on's individual "
+                        'limits left to use."',
+                    ),
+                ),
+                (
+                    'charge',
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to='djstripe.charge',
+                        to_field='id',
+                    ),
+                ),
+                (
+                    'organization',
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to='organizations.organization',
+                    ),
+                ),
+                (
+                    'product',
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to='djstripe.product',
+                        to_field='id',
+                    ),
+                ),
+            ],
+            options={
+                'verbose_name': 'plan add-on',
+                'verbose_name_plural': 'plan add-ons',
+            },
+        ),
+        migrations.AddIndex(
+            model_name='planaddon',
+            index=models.Index(
+                fields=['organization', 'limits_remaining', 'charge'],
+                name='stripe_plan_organiz_b3d2e4_idx',
+            ),
+        ),
+    ]
diff --git a/kobo/apps/stripe/migrations/__init__.py b/kobo/apps/stripe/migrations/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/kobo/apps/stripe/models.py b/kobo/apps/stripe/models.py
new file mode 100644
index 0000000000..66073893e4
--- /dev/null
+++ b/kobo/apps/stripe/models.py
@@ -0,0 +1,254 @@
+from typing import List
+
+from django.contrib import admin
+from django.core.exceptions import ObjectDoesNotExist
+from django.core.validators import MinValueValidator
+from django.db import models
+from django.db.models import F, IntegerField, Sum
+from django.db.models.functions import Cast, Coalesce
+from django.db.models.signals import post_save
+from django.dispatch import receiver
+from djstripe.enums import PaymentIntentStatus
+from djstripe.models import Charge, Price, Subscription
+
+from kobo.apps.organizations.models import Organization
+from kobo.apps.organizations.types import UsageType
+from kobo.apps.stripe.constants import ACTIVE_STRIPE_STATUSES, USAGE_LIMIT_MAP
+from kobo.apps.stripe.utils import get_default_add_on_limits
+from kpi.fields import KpiUidField
+from kpi.utils.django_orm_helper import DeductUsageValue
+
+
+class PlanAddOn(models.Model):
+    id = KpiUidField(uid_prefix='addon_', primary_key=True)
+    created = models.DateTimeField(help_text='The time when the add-on purchased.')
+    organization = models.ForeignKey(
+        'organizations.Organization',
+        to_field='id',
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+    )
+    quantity = models.PositiveIntegerField(default=1, validators=[MinValueValidator(1)])
+    usage_limits = models.JSONField(
+        default=get_default_add_on_limits,
+        help_text='''The historical usage limits when the add-on was purchased.
+        Multiply this value by `quantity` to get the total limits for this add-on.
+        Possible keys:
+        "submission_limit", "asr_seconds_limit", and/or "mt_characters_limit"''',
+    )
+    limits_remaining = models.JSONField(
+        default=get_default_add_on_limits,
+        help_text="The amount of each of the add-on's individual limits left to use.",
+    )
+    product = models.ForeignKey(
+        'djstripe.Product',
+        to_field='id',
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+    )
+    charge = models.ForeignKey(
+        'djstripe.Charge', to_field='id', on_delete=models.CASCADE
+    )
+
+    class Meta:
+        verbose_name = 'plan add-on'
+        verbose_name_plural = 'plan add-ons'
+        indexes = [
+            models.Index(fields=['organization', 'limits_remaining', 'charge']),
+        ]
+
+    @staticmethod
+    def create_or_update_one_time_add_on(charge: Charge):
+        """
+        Create a PlanAddOn object from a Charge object, if the Charge is for a
+        one-time add-on.
+
+        Returns True if a PlanAddOn was created, false otherwise.
+        """
+        if (
+            charge.payment_intent.status != PaymentIntentStatus.succeeded
+            or not charge.metadata.get('price_id', None)
+            or not charge.metadata.get('quantity', None)
+        ):
+            # make sure the charge is for a successful addon purchase
+            return False
+
+        try:
+            product = Price.objects.get(id=charge.metadata.get('price_id', '')).product
+            organization = Organization.objects.get(
+                id=charge.metadata['organization_id']
+            )
+        except ObjectDoesNotExist:
+            # no product/price/org/subscription, just bail
+            return False
+
+        if product.metadata.get('product_type', '') != 'addon_onetime':
+            # might be some other type of payment
+            return False
+
+        tags = product.metadata.get('valid_tags', '').split(',')
+        if (
+            tags
+            and ('all' not in tags)
+            and not Subscription.objects.filter(
+                customer__subscriber=organization,
+                items__price__product__metadata__has_key__in=[tags],
+                status__in=ACTIVE_STRIPE_STATUSES,
+            ).exists()
+        ):
+            # this user doesn't have the subscription level they need for this addon
+            return False
+
+        quantity = int(charge.metadata['quantity'])
+        usage_limits = {}
+        limits_remaining = {}
+        for limit_type in get_default_add_on_limits().keys():
+            limit_value = charge.metadata.get(limit_type, None)
+            if limit_value is not None:
+                usage_limits[limit_type] = int(limit_value)
+                limits_remaining[limit_type] = int(limit_value) * quantity
+
+        if not len(usage_limits):
+            # not a valid plan add-on
+            return False
+
+        add_on, add_on_created = PlanAddOn.objects.get_or_create(
+            charge=charge, created=charge.djstripe_created
+        )
+        if add_on_created:
+            add_on.product = product
+            add_on.quantity = int(charge.metadata['quantity'])
+            add_on.organization = organization
+            add_on.usage_limits = usage_limits
+            add_on.limits_remaining = limits_remaining
+            add_on.save()
+        return add_on_created
+
+    @staticmethod
+    def get_organization_totals(
+        organization: 'Organization', usage_type: UsageType
+    ) -> (int, int):
+        """
+        Returns the total limit and the total remaining usage for a given organization
+        and usage type.
+        """
+        usage_mapped = USAGE_LIMIT_MAP[usage_type]
+        limit_key = f'{usage_mapped}_limit'
+        limit_field = f'limits_remaining__{limit_key}'
+        usage_field = f'usage_limits__{limit_key}'
+        totals = PlanAddOn.objects.filter(
+            organization__id=organization.id,
+            limits_remaining__has_key=limit_key,
+            usage_limits__has_key=limit_key,
+            charge__refunded=False,
+        ).aggregate(
+            total_usage_limit=Coalesce(
+                Sum(Cast(usage_field, output_field=IntegerField()) * F('quantity')),
+                0,
+                output_field=IntegerField(),
+            ),
+            total_remaining=Coalesce(
+                Sum(Cast(limit_field, output_field=IntegerField())),
+                0,
+            ),
+        )
+
+        return totals['total_usage_limit'], totals['total_remaining']
+
+    @property
+    def is_expended(self):
+        """
+        Whether the addon is at/over its usage limits.
+        """
+        for limit_type, limit_value in self.limits_remaining.items():
+            if limit_value > 0:
+                return False
+        return True
+
+    @admin.display(boolean=True, description='available')
+    def is_available(self):
+        return not (self.is_expended or self.charge.refunded) and bool(
+            self.organization
+        )
+
+    def deduct(self, limit_type, amount_used):
+        """
+        Deducts the add on usage counter for limit_type by amount_used.
+        Returns the amount of this add-on that was used (up to its limit).
+        Will return 0 if limit_type does not apply to this add-on.
+        """
+        if limit_type in self.usage_limits.keys():
+            limit_available = self.limits_remaining.get(limit_type)
+            amount_to_use = min(amount_used, limit_available)
+            PlanAddOn.objects.filter(pk=self.id).update(
+                limits_remaining=DeductUsageValue(
+                    'limits_remaining', keyname=limit_type, amount=amount_used
+                )
+            )
+            return amount_to_use
+        return 0
+
+    @staticmethod
+    def make_add_ons_from_existing_charges():
+        """
+        Create a PlanAddOn object for each eligible Charge object in the database.
+        Does not refresh Charge data from Stripe.
+        Returns the number of PlanAddOns created.
+        """
+        created_count = 0
+        # TODO: This should filter out charges that are already matched to an add on
+        for charge in Charge.objects.all().iterator(chunk_size=500):
+            if PlanAddOn.create_or_update_one_time_add_on(charge):
+                created_count += 1
+        return created_count
+
+    @staticmethod
+    def deduct_add_ons_for_organization(
+        organization: 'Organization', usage_type: UsageType, amount: int
+    ):
+        """
+        Deducts the usage counter for limit_type by amount_used for a given user.
+        Will always spend the add-on with the most used first, so that add-ons
+        are used up in FIFO order.
+
+        Returns the amount of usage that was not applied to an add-on.
+        """
+        usage_mapped = USAGE_LIMIT_MAP[usage_type]
+        limit_key = f'{usage_mapped}_limit'
+        metadata_key = f'limits_remaining__{limit_key}'
+        add_ons = PlanAddOn.objects.filter(
+            organization__id=organization.id,
+            limits_remaining__has_key=limit_key,
+            charge__refunded=False,
+            **{f'{metadata_key}__gt': 0},
+        ).order_by(metadata_key)
+        remaining = amount
+        for add_on in add_ons.iterator():
+            if add_on.is_available():
+                remaining -= add_on.deduct(limit_type=limit_key, amount_used=remaining)
+        return remaining
+
+    @property
+    def total_usage_limits(self):
+        """
+        The total usage limits for this add-on, based on the usage_limits for a single
+        add-on and the quantity.
+        """
+        return {key: value * self.quantity for key, value in self.usage_limits.items()}
+
+    @property
+    def valid_tags(self) -> List:
+        """
+        The tag metadata (on the subscription product/price) needed to view/purchase
+        this add-on. If the org that purchased this add-on no longer has that a plan
+        with those tags, the add-on will be inactive. If the add-on doesn't require a
+        tag, this property will return an empty list.
+        """
+        return self.product.metadata.get('valid_tags', '').split(',')
+
+
+@receiver(post_save, sender=Charge)
+def make_add_on_for_charge(sender, instance, created, **kwargs):
+    PlanAddOn.create_or_update_one_time_add_on(instance)
diff --git a/kobo/apps/stripe/serializers.py b/kobo/apps/stripe/serializers.py
index 3d2346f7f7..422511b02f 100644
--- a/kobo/apps/stripe/serializers.py
+++ b/kobo/apps/stripe/serializers.py
@@ -2,27 +2,28 @@
 from djstripe.models import (
     Price,
     Product,
-    Session,
     Subscription,
     SubscriptionItem,
     SubscriptionSchedule,
 )
 from rest_framework import serializers
 
+from kobo.apps.stripe.models import PlanAddOn
 
-class OneTimeAddOnSerializer(serializers.ModelSerializer):
-    payment_intent = serializers.SlugRelatedField(
-        slug_field='status',
-        read_only=True,
-        many=False,
-    )
 
+class OneTimeAddOnSerializer(serializers.ModelSerializer):
     class Meta:
-        model = Session
+        model = PlanAddOn
         fields = (
-            'metadata',
+            'id',
             'created',
-            'payment_intent',
+            'is_available',
+            'quantity',
+            'usage_limits',
+            'total_usage_limits',
+            'limits_remaining',
+            'organization',
+            'product',
         )
 
 
diff --git a/kobo/apps/stripe/templates/admin/add-ons/change_list.html b/kobo/apps/stripe/templates/admin/add-ons/change_list.html
new file mode 100644
index 0000000000..86810d482d
--- /dev/null
+++ b/kobo/apps/stripe/templates/admin/add-ons/change_list.html
@@ -0,0 +1,8 @@
+{% extends "admin/change_list.html" %}
+{% load i18n static admin_list %}
+
+{% block result_list %}
+  {% if action_form and actions_on_top %}{% admin_actions %}{% endif %}
+  {% result_list cl %}
+  {% if action_form and actions_on_bottom and cl.full_result_count %}{% admin_actions %}{% endif %}
+{% endblock %}
diff --git a/kobo/apps/stripe/tests/test_customer_portal_api.py b/kobo/apps/stripe/tests/test_customer_portal_api.py
index 9e6421e0d8..00763e7d2e 100644
--- a/kobo/apps/stripe/tests/test_customer_portal_api.py
+++ b/kobo/apps/stripe/tests/test_customer_portal_api.py
@@ -1,9 +1,10 @@
+from unittest.mock import patch
+from urllib.parse import urlencode
+
 from django.urls import reverse
-from djstripe.models import Customer, Subscription, Price, Product
+from djstripe.models import Customer, Price, Product, Subscription
 from model_bakery import baker
 from rest_framework import status
-from urllib.parse import urlencode
-from unittest.mock import patch
 
 from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.organizations.models import Organization
@@ -34,9 +35,7 @@ def _create_stripe_data(self, create_subscription=True, product_type='plan'):
         self.customer = baker.make(
             Customer, subscriber=self.organization, livemode=False
         )
-        self.product = baker.make(
-            Product, metadata={'product_type': product_type}
-        )
+        self.product = baker.make(Product, metadata={'product_type': product_type})
         self.price = baker.make(
             Price,
             product=self.product,
diff --git a/kobo/apps/stripe/tests/test_one_time_addons_api.py b/kobo/apps/stripe/tests/test_one_time_addons_api.py
index 1be1513fef..7c699d1ebb 100644
--- a/kobo/apps/stripe/tests/test_one_time_addons_api.py
+++ b/kobo/apps/stripe/tests/test_one_time_addons_api.py
@@ -1,14 +1,25 @@
+from ddt import data, ddt
 from django.urls import reverse
-from djstripe.enums import BillingScheme
-from djstripe.models import Customer, PaymentIntent
+from django.utils import timezone
+from djstripe.models import (
+    Charge,
+    Customer,
+    PaymentIntent,
+    Price,
+    Product,
+    Subscription,
+)
 from model_bakery import baker
 from rest_framework import status
 
 from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.organizations.models import Organization
+from kobo.apps.stripe.constants import USAGE_LIMIT_MAP
+from kobo.apps.stripe.models import PlanAddOn
 from kpi.tests.kpi_test_case import BaseTestCase
 
 
+@ddt
 class OneTimeAddOnAPITestCase(BaseTestCase):
     fixtures = ['test_data']
 
@@ -17,58 +28,183 @@ def setUp(self):
         self.client.force_login(self.someuser)
         self.url = reverse('addons-list')
         self.price_id = 'price_305dfs432ltnjw'
-
-    def _insert_data(self):
         self.organization = baker.make(Organization)
         self.organization.add_user(self.someuser, is_admin=True)
         self.customer = baker.make(Customer, subscriber=self.organization)
+        baker.make(
+            Subscription,
+            customer=self.customer,
+            status='active',
+        )
+
+    def _create_product(self, metadata=None):
+        if not metadata:
+            metadata = {
+                'product_type': 'addon_onetime',
+                'submission_limit': 2000,
+                'valid_tags': 'all',
+            }
+        self.product = baker.make(
+            Product,
+            active=True,
+            metadata=metadata,
+        )
+        self.price = baker.make(
+            Price, active=True, product=self.product, type='one_time'
+        )
+        self.product.save()
 
-    def _create_session_and_payment_intent(self):
-        payment_intent = baker.make(
+    def _create_payment(self, payment_status='succeeded', refunded=False, quantity=1):
+        payment_total = quantity * 2000
+        self.payment_intent = baker.make(
             PaymentIntent,
             customer=self.customer,
-            status='succeeded',
-            payment_method_types=["card"],
+            status=payment_status,
+            payment_method_types=['card'],
             livemode=False,
+            amount=payment_total,
+            amount_capturable=payment_total,
+            amount_received=payment_total,
         )
-        session = baker.make(
-            'djstripe.Session',
+        self.charge = baker.prepare(
+            Charge,
             customer=self.customer,
-            metadata={
-                'organization_id': self.organization.id,
-                'price_id': self.price_id,
-            },
-            mode='payment',
-            payment_intent=payment_intent,
-            payment_method_types=["card"],
-            items__price__livemode=False,
-            items__price__billing_scheme=BillingScheme.per_unit,
+            refunded=refunded,
+            created=timezone.now(),
+            payment_intent=self.payment_intent,
+            paid=True,
+            status=payment_status,
             livemode=False,
+            amount_refunded=0 if refunded else payment_total,
+            amount=payment_total,
         )
+        self.charge.metadata = {
+            'price_id': self.price.id,
+            'organization_id': self.organization.id,
+            'quantity': quantity,
+            **(self.product.metadata or {}),
+        }
+        self.charge.save()
 
     def test_no_addons(self):
         response = self.client.get(self.url)
         assert response.status_code == status.HTTP_200_OK
         assert response.data['results'] == []
 
-    def test_get_endpoint(self):
-        self._insert_data()
-        self._create_session_and_payment_intent()
+    def test_get_addon(self):
+        self._create_product()
+        self._create_payment()
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert response.data['count'] == 1
+        assert response.data['results'][0]['product'] == self.product.id
+
+    def test_multiple_addons(self):
+        self._create_product()
+        self._create_payment()
+        self._create_payment()
+        self._create_payment()
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert response.data['count'] == 3
+
+    def test_no_addons_for_invalid_product_metadata(self):
+        self._create_product(
+            metadata={'product_type': 'subscription', 'submission_limit': 2000}
+        )
+        self._create_payment()
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert response.data['count'] == 0
+
+        self._create_product(
+            metadata={
+                'product_type': 'addon_onetime',
+                'not_a_real_limit_key': 2000,
+                'valid_tags': 'all',
+            }
+        )
+        self._create_payment()
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert response.data['count'] == 0
+
+    def test_addon_inactive_for_refunded_charge(self):
+        self._create_product()
+        self._create_payment(refunded=True)
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert response.data['count'] == 1
+        assert not response.data['results'][0]['is_available']
+
+    def test_no_addon_for_cancelled_charge(self):
+        self._create_product()
+        self._create_payment(payment_status='cancelled')
+        response = self.client.get(self.url)
+        assert response.status_code == status.HTTP_200_OK
+        assert response.data['count'] == 0
+
+    def test_total_limits_reflect_addon_quantity(self):
+        limit = 2000
+        quantity = 9
+        self._create_product(
+            metadata={
+                'product_type': 'addon_onetime',
+                'asr_seconds_limit': limit,
+                'valid_tags': 'all',
+            }
+        )
+        self._create_payment(quantity=quantity)
         response = self.client.get(self.url)
         assert response.status_code == status.HTTP_200_OK
         assert response.data['count'] == 1
+        asr_seconds = response.data['results'][0]['total_usage_limits'][
+            'asr_seconds_limit'
+        ]
+        assert asr_seconds == limit * quantity
 
     def test_anonymous_user(self):
-        self._insert_data()
-        self._create_session_and_payment_intent()
+        self._create_product()
+        self._create_payment()
         self.client.logout()
         response = self.client.get(self.url)
         assert response.status_code == status.HTTP_401_UNAUTHORIZED
 
     def test_not_own_addon(self):
-        self._insert_data()
-        self._create_session_and_payment_intent()
+        self._create_product()
+        self._create_payment()
         self.client.force_login(User.objects.get(username='anotheruser'))
         response_get_list = self.client.get(self.url)
         assert response_get_list.status_code == status.HTTP_200_OK
         assert response_get_list.data['results'] == []
+
+    @data('characters', 'seconds')
+    def test_get_user_totals(self, usage_type):
+        limit = 2000
+        quantity = 5
+        usage_limit_key = f'{USAGE_LIMIT_MAP[usage_type]}_limit'
+        self._create_product(
+            metadata={
+                'product_type': 'addon_onetime',
+                usage_limit_key: limit,
+                'valid_tags': 'all',
+            }
+        )
+        self._create_payment()
+        self._create_payment()
+        self._create_payment(quantity=quantity)
+
+        total_limit, remaining = PlanAddOn.get_organization_totals(
+            self.organization, usage_type
+        )
+        assert total_limit == limit * (quantity + 2)
+        assert remaining == limit * (quantity + 2)
+
+        PlanAddOn.deduct_add_ons_for_organization(
+            self.organization, usage_type, limit * quantity
+        )
+        total_limit, remaining = PlanAddOn.get_organization_totals(
+            self.organization, usage_type
+        )
+        assert total_limit == limit * (quantity + 2)
+        assert remaining == limit * 2
diff --git a/kobo/apps/stripe/tests/test_organization_usage.py b/kobo/apps/stripe/tests/test_organization_usage.py
index ef2c57a82f..e07773be59 100644
--- a/kobo/apps/stripe/tests/test_organization_usage.py
+++ b/kobo/apps/stripe/tests/test_organization_usage.py
@@ -9,6 +9,7 @@
 
 import pytest
 from dateutil.relativedelta import relativedelta
+from ddt import data, ddt
 from django.core.cache import cache
 from django.test import override_settings
 from django.urls import reverse
@@ -20,15 +21,18 @@
 
 from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.organizations.models import Organization, OrganizationUser
+from kobo.apps.stripe.constants import USAGE_LIMIT_MAP
 from kobo.apps.stripe.tests.utils import (
     generate_enterprise_subscription,
     generate_plan_subscription,
 )
+from kobo.apps.stripe.utils import get_organization_plan_limit
 from kobo.apps.trackers.tests.submission_utils import (
     add_mock_submissions,
     create_mock_assets,
 )
 from kpi.tests.api.v2.test_api_asset_usage import AssetUsageAPITestCase
+from kpi.tests.kpi_test_case import BaseTestCase
 from kpi.tests.test_usage_calculator import BaseServiceUsageTestCase
 
 
@@ -458,3 +462,50 @@ def test_users_without_enterprise_see_only_their_usage(self):
         response = self.client.get(self.detail_url)
         assert response.status_code == status.HTTP_200_OK
         assert response.data['count'] == 1
+
+
+@ddt
+class OrganizationsUtilsTestCase(BaseTestCase):
+    fixtures = ['test_data']
+
+    def setUp(self):
+        self.organization = baker.make(
+            Organization, id='123456abcdef', name='test organization'
+        )
+        self.someuser = User.objects.get(username='someuser')
+        self.anotheruser = User.objects.get(username='anotheruser')
+        self.newuser = baker.make(User, username='newuser')
+        self.organization.add_user(self.anotheruser, is_admin=True)
+
+    def test_get_plan_community_limit(self):
+        generate_enterprise_subscription(self.organization)
+        limit = get_organization_plan_limit(self.organization, 'seconds')
+        assert limit == 2000  # TODO get the limits from the community plan, overrides
+        limit = get_organization_plan_limit(self.organization, 'characters')
+        assert limit == 2000  # TODO get the limits from the community plan, overrides
+
+    @data('characters', 'seconds')
+    def test_get_suscription_limit(self, usage_type):
+        stripe_key = f'{USAGE_LIMIT_MAP[usage_type]}_limit'
+        product_metadata = {
+            stripe_key: '1234',
+            'product_type': 'plan',
+            'plan_type': 'enterprise',
+        }
+        generate_plan_subscription(self.organization, metadata=product_metadata)
+        limit = get_organization_plan_limit(self.organization, usage_type)
+        assert limit == 1234
+
+    # Currently submissions and storage are the only usage types that can be
+    # 'unlimited'
+    @data('submission', 'storage')
+    def test_get_suscription_limit_unlimited(self, usage_type):
+        stripe_key = f'{USAGE_LIMIT_MAP[usage_type]}_limit'
+        product_metadata = {
+            stripe_key: 'unlimited',
+            'product_type': 'plan',
+            'plan_type': 'enterprise',
+        }
+        generate_plan_subscription(self.organization, metadata=product_metadata)
+        limit = get_organization_plan_limit(self.organization, usage_type)
+        assert limit == float('inf')
diff --git a/kobo/apps/stripe/utils.py b/kobo/apps/stripe/utils.py
index f64e19b3ed..c6dbb45381 100644
--- a/kobo/apps/stripe/utils.py
+++ b/kobo/apps/stripe/utils.py
@@ -1,10 +1,83 @@
-from math import ceil, floor
+from math import ceil, floor, inf
 
 from django.conf import settings
-from djstripe.models import Price
+from django.db.models import F
 
+from kobo.apps.organizations.models import Organization
+from kobo.apps.organizations.types import UsageType
+from kobo.apps.stripe.constants import ACTIVE_STRIPE_STATUSES, USAGE_LIMIT_MAP
 
-def get_total_price_for_quantity(price: Price, quantity: int):
+
+def generate_return_url(product_metadata):
+    """
+    Determine which frontend page Stripe should redirect users to
+    after they make a purchase or manage their account.
+    """
+    base_url = settings.KOBOFORM_URL + '/#/account/'
+    return_page = 'addons' if product_metadata['product_type'] == 'addon' else 'plan'
+    return base_url + return_page
+
+
+def get_default_add_on_limits():
+    return {
+        'submission_limit': 0,
+        'asr_seconds_limit': 0,
+        'mt_characters_limit': 0,
+    }
+
+
+def get_organization_plan_limit(
+    organization: Organization, usage_type: UsageType
+) -> int | float:
+    """
+    Get organization plan limit for a given usage type
+    """
+    if not settings.STRIPE_ENABLED:
+        return None
+    stripe_key = f'{USAGE_LIMIT_MAP[usage_type]}_limit'
+    query_product_type = (
+        'djstripe_customers__subscriptions__items__price__'
+        'product__metadata__product_type'
+    )
+    query_status__in = 'djstripe_customers__subscriptions__status__in'
+    organization_filter = Organization.objects.filter(
+        id=organization.id,
+        **{
+            query_status__in: ACTIVE_STRIPE_STATUSES,
+            query_product_type: 'plan',
+        },
+    )
+
+    field_price_limit = (
+        'djstripe_customers__subscriptions__items__' f'price__metadata__{stripe_key}'
+    )
+    field_product_limit = (
+        'djstripe_customers__subscriptions__items__'
+        f'price__product__metadata__{stripe_key}'
+    )
+    current_limit = organization_filter.values(
+        price_limit=F(field_price_limit),
+        product_limit=F(field_product_limit),
+        prod_metadata=F(
+            'djstripe_customers__subscriptions__items__price__product__metadata'
+        ),
+    ).first()
+    relevant_limit = None
+    if current_limit is not None:
+        relevant_limit = current_limit.get('price_limit') or current_limit.get(
+            'product_limit'
+        )
+    if relevant_limit is None:
+        # TODO: get the limits from the community plan, overrides
+        relevant_limit = 2000
+    # Limits in Stripe metadata are strings. They may be numbers or 'unlimited'
+    if relevant_limit == 'unlimited':
+        return inf
+
+    return int(relevant_limit)
+
+
+def get_total_price_for_quantity(price: 'djstripe.models.Price', quantity: int):
     """
     Calculate a total price (dividing and rounding as necessary) for an item quantity
     and djstripe Price object
@@ -17,14 +90,3 @@ def get_total_price_for_quantity(price: Price, quantity: int):
         else:
             total_price = floor(total_price)
     return total_price * price.unit_amount
-
-def generate_return_url(product_metadata):
-    """
-    Determine which frontend page Stripe should redirect users to
-    after they make a purchase or manage their account.
-    """
-    base_url = settings.KOBOFORM_URL + '/#/account/'
-    return_page = (
-        'addons' if product_metadata['product_type'] == 'addon' else 'plan'
-    )
-    return base_url + return_page
diff --git a/kobo/apps/stripe/views.py b/kobo/apps/stripe/views.py
index 7b388c950c..95811c0240 100644
--- a/kobo/apps/stripe/views.py
+++ b/kobo/apps/stripe/views.py
@@ -10,7 +10,6 @@
     Customer,
     Price,
     Product,
-    Session,
     Subscription,
     SubscriptionItem,
     SubscriptionSchedule,
@@ -23,6 +22,7 @@
 
 from kobo.apps.organizations.models import Organization
 from kobo.apps.stripe.constants import ACTIVE_STRIPE_STATUSES
+from kobo.apps.stripe.models import PlanAddOn
 from kobo.apps.stripe.serializers import (
     ChangePlanSerializer,
     CheckoutLinkSerializer,
@@ -31,26 +31,23 @@
     ProductSerializer,
     SubscriptionSerializer,
 )
-from kobo.apps.stripe.utils import (
-    generate_return_url,
-    get_total_price_for_quantity,
-)
+from kobo.apps.stripe.utils import generate_return_url, get_total_price_for_quantity
 from kpi.permissions import IsAuthenticated
 
 
-# Lists the one-time purchases made by the organization that the logged-in user owns
 class OneTimeAddOnViewSet(viewsets.ReadOnlyModelViewSet):
+    """
+    Lists the one-time add-ons for the authenticated user's organization.
+    """
     permission_classes = (IsAuthenticated,)
     serializer_class = OneTimeAddOnSerializer
-    queryset = Session.objects.all()
+    queryset = PlanAddOn.objects.all()
 
     def get_queryset(self):
         return self.queryset.filter(
-            livemode=settings.STRIPE_LIVE_MODE,
-            customer__subscriber__owner__organization_user__user=self.request.user,
-            mode='payment',
-            payment_intent__status__in=['succeeded', 'processing'],
-        ).prefetch_related('payment_intent')
+            charge__livemode=settings.STRIPE_LIVE_MODE,
+            organization__organization_users__user=self.request.user,
+        )
 
 
 class ChangePlanView(APIView):
@@ -90,7 +87,10 @@ def modify_subscription(price, subscription, quantity):
         stripe.api_key = djstripe_settings.STRIPE_SECRET_KEY
         subscription_item = subscription.items.get()
         # Exit immediately if the price/quantity we're changing to is the price/quantity they're currently subscribed to
-        if quantity == subscription_item.quantity and price.id == subscription_item.price.id:
+        if (
+            quantity == subscription_item.quantity
+            and price.id == subscription_item.price.id
+        ):
             return Response(
                 {'status': 'already subscribed'},
                 status=status.HTTP_400_BAD_REQUEST,
@@ -200,7 +200,7 @@ class CheckoutLinkView(APIView):
     serializer_class = CheckoutLinkSerializer
 
     @staticmethod
-    def generate_payment_link(price, user, organization_id, quantity):
+    def generate_payment_link(price, user, organization_id, quantity=1):
         if organization_id:
             # Get the organization for the logged-in user and provided organization ID
             organization = Organization.objects.get(
@@ -246,12 +246,24 @@ def generate_payment_link(price, user, organization_id, quantity):
         return session['url']
 
     @staticmethod
-    def start_checkout_session(customer_id, price, organization_id, user, quantity):
-        checkout_mode = (
-            'payment' if price.type == 'one_time' else 'subscription'
-        )
+    def start_checkout_session(customer_id, price, organization_id, user, quantity=1):
         kwargs = {}
-        if checkout_mode == 'subscription':
+        if price.type == 'one_time':
+            checkout_mode = 'payment'
+            kwargs['payment_intent_data'] = {
+                'metadata': {
+                    'organization_id': organization_id,
+                    'price_id': price.id,
+                    'quantity': quantity,
+                    # product metadata contains the usage limit values
+                    # for one-time add-ons
+                    **(price.product.metadata or {}),
+                },
+            }
+        else:
+            checkout_mode = 'subscription'
+            # subscriptions in Stripe can only be purchased one at a time
+            quantity = 1
             kwargs['subscription_data'] = {
                 'metadata': {
                     'kpi_owner_username': user.username,
@@ -260,6 +272,7 @@ def start_checkout_session(customer_id, price, organization_id, user, quantity):
                     'organization_id': organization_id,
                 },
             }
+
         return stripe.checkout.Session.create(
             api_key=djstripe_settings.STRIPE_SECRET_KEY,
             allow_promotion_codes=True,
@@ -282,7 +295,8 @@ def start_checkout_session(customer_id, price, organization_id, user, quantity):
                 'kpi_owner_username': user.username,
             },
             mode=checkout_mode,
-            success_url=generate_return_url(price.product.metadata) + f'?checkout={price.id}',
+            success_url=generate_return_url(price.product.metadata)
+            + f'?checkout={price.id}',
             **kwargs,
         )
 
@@ -323,8 +337,9 @@ def generate_portal_link(user, organization_id, price, quantity):
         )
 
         if not customer:
+            error_str = f"Couldn't find customer with organization id {organization_id}"
             return Response(
-                {'error': f"Couldn't find customer with organization id {organization_id}"},
+                {'error': error_str},
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
@@ -361,7 +376,10 @@ def generate_portal_link(user, organization_id, price, quantity):
             )
 
             if not len(all_configs):
-                return Response({'error': "Missing Stripe billing configuration."}, status=status.HTTP_502_BAD_GATEWAY)
+                return Response(
+                    {'error': 'Missing Stripe billing configuration.'},
+                    status=status.HTTP_502_BAD_GATEWAY,
+                )
 
             """
             Recurring add-ons and the Enterprise plan aren't included in the default billing configuration.
diff --git a/kobo/apps/subsequences/integrations/google/google_transcribe.py b/kobo/apps/subsequences/integrations/google/google_transcribe.py
index 726d5984c7..16626ca619 100644
--- a/kobo/apps/subsequences/integrations/google/google_transcribe.py
+++ b/kobo/apps/subsequences/integrations/google/google_transcribe.py
@@ -11,6 +11,7 @@
 from google.cloud import speech
 
 from kpi.utils.log import logging
+
 from ...constants import GOOGLETS
 from ...exceptions import (
     AudioTooLongError,
@@ -72,6 +73,7 @@ def begin_google_operation(
         submission_uuid = self.submission.submission_uuid
         flac_content, duration = content
         total_seconds = int(duration.total_seconds())
+
         # Create the parameters required for the transcription
         speech_client = speech.SpeechClient(credentials=self.credentials)
         config = speech.RecognitionConfig(
diff --git a/kobo/apps/subsequences/tests/test_submission_extras_api_post.py b/kobo/apps/subsequences/tests/test_submission_extras_api_post.py
index 4b9de37062..372fc6dcdc 100644
--- a/kobo/apps/subsequences/tests/test_submission_extras_api_post.py
+++ b/kobo/apps/subsequences/tests/test_submission_extras_api_post.py
@@ -26,7 +26,9 @@
     PERM_VIEW_SUBMISSIONS,
 )
 from kpi.models.asset import Asset
+from kpi.tests.base_test_case import BaseTestCase
 from kpi.utils.fuzzy_int import FuzzyInt
+
 from ..constants import GOOGLETS, GOOGLETX
 from ..models import SubmissionExtras
 
@@ -389,11 +391,11 @@ def test_change_language_list(self):
         # validate(package, schema)
 
 
-class GoogleNLPSubmissionTest(APITestCase):
+class GoogleNLPSubmissionTest(BaseTestCase):
+    fixtures = ['test_data']
+
     def setUp(self):
-        self.user = User.objects.create_user(
-            username='someuser', email='user@example.com'
-        )
+        self.user = User.objects.get(username='someuser')
         self.asset = Asset(
             content={'survey': [{'type': 'audio', 'label': 'q1', 'name': 'q1'}]}
         )
@@ -406,12 +408,11 @@ def setUp(self):
         self.asset.deploy(backend='mock', active=True)
         self.asset_url = f'/api/v2/assets/{self.asset.uid}/?format=json'
         self.client.force_login(self.user)
-        transcription_service = TranscriptionService.objects.create(code='goog')
-        translation_service = TranslationService.objects.create(code='goog')
+        transcription_service = TranscriptionService.objects.get(code='goog')
+        translation_service = TranslationService.objects.get(code='goog')
 
         language = Language.objects.create(name='', code='')
         language_region = LanguageRegion.objects.create(language=language, name='', code='')
-
         TranscriptionServiceLanguageM2M.objects.create(
             language=language,
             region=language_region,
diff --git a/kobo/apps/trackers/tests/test_utils.py b/kobo/apps/trackers/tests/test_utils.py
new file mode 100644
index 0000000000..05c11d1f07
--- /dev/null
+++ b/kobo/apps/trackers/tests/test_utils.py
@@ -0,0 +1,121 @@
+from ddt import data, ddt
+from django.utils import timezone
+from djstripe.models import Charge, PaymentIntent, Price, Product
+from model_bakery import baker
+
+from kobo.apps.kobo_auth.shortcuts import User
+from kobo.apps.organizations.models import Organization
+from kobo.apps.stripe.constants import USAGE_LIMIT_MAP
+from kobo.apps.stripe.tests.utils import generate_plan_subscription
+from kobo.apps.trackers.utils import (
+    get_organization_remaining_usage,
+    update_nlp_counter,
+)
+from kpi.models.asset import Asset
+from kpi.tests.kpi_test_case import BaseTestCase
+
+
+@ddt
+class TrackersUtilitiesTestCase(BaseTestCase):
+    fixtures = ['test_data']
+
+    def setUp(self):
+        self.organization = baker.make(
+            Organization, id='123456abcdef', name='test organization'
+        )
+        self.someuser = User.objects.get(username='someuser')
+        self.anotheruser = User.objects.get(username='anotheruser')
+        self.organization.add_user(self.someuser, is_admin=True)
+
+        self.asset = Asset.objects.create(
+            content={'survey': [{'type': 'text', 'label': 'q1', 'name': 'q1'}]},
+            owner=self.someuser,
+            asset_type='survey',
+            name='test asset',
+        )
+        self.asset.deploy(backend='mock', active=True)
+
+    def _create_product(self, product_metadata):
+        product = baker.make(
+            Product,
+            active=True,
+            metadata=product_metadata,
+        )
+        price = baker.make(Price, active=True, product=product, type='one_time')
+        product.save()
+        return product, price
+
+    def _make_payment(
+        self,
+        price,
+        customer,
+        payment_status='succeeded',
+        quantity=1,
+    ):
+        payment_total = quantity * 2000
+        payment_intent = baker.make(
+            PaymentIntent,
+            customer=customer,
+            status=payment_status,
+            payment_method_types=['card'],
+            livemode=False,
+            amount=payment_total,
+            amount_capturable=payment_total,
+            amount_received=payment_total,
+        )
+        charge = baker.prepare(
+            Charge,
+            customer=customer,
+            refunded=False,
+            created=timezone.now(),
+            payment_intent=payment_intent,
+            paid=True,
+            status=payment_status,
+            livemode=False,
+            amount_refunded=0,
+            amount=payment_total,
+        )
+        charge.metadata = {
+            'price_id': price.id,
+            'organization_id': self.organization.id,
+            'quantity': quantity,
+            **(price.product.metadata or {}),
+        }
+        charge.save()
+        return charge
+
+    @data('characters', 'seconds')
+    def test_organization_usage_utils(self, usage_type):
+        usage_key = f'{USAGE_LIMIT_MAP[usage_type]}_limit'
+        sub_metadata = {
+            usage_key: '1000',
+            'product_type': 'plan',
+            'plan_type': 'enterprise',
+        }
+        subscription = generate_plan_subscription(
+            self.organization, metadata=sub_metadata
+        )
+        addon_metadata = {
+            'product_type': 'addon_onetime',
+            usage_key: '2000',
+            'valid_tags': 'all',
+        }
+        product, price = self._create_product(addon_metadata)
+        self._make_payment(price, subscription.customer, quantity=2)
+
+        total_limit = 2000 * 2 + 1000
+        remaining = get_organization_remaining_usage(self.organization, usage_type)
+        assert remaining == total_limit
+
+        update_nlp_counter(
+            USAGE_LIMIT_MAP[usage_type], 1000, self.someuser.id, self.asset.id
+        )
+
+        remaining = get_organization_remaining_usage(self.organization, usage_type)
+        assert remaining == total_limit - 1000
+
+        update_nlp_counter(
+            USAGE_LIMIT_MAP[usage_type], 1500, self.someuser.id, self.asset.id
+        )
+        remaining = get_organization_remaining_usage(self.organization, usage_type)
+        assert remaining == total_limit - 2500
diff --git a/kobo/apps/trackers/utils.py b/kobo/apps/trackers/utils.py
index 57f7e0221a..1e7325127f 100644
--- a/kobo/apps/trackers/utils.py
+++ b/kobo/apps/trackers/utils.py
@@ -1,10 +1,16 @@
-from typing import Optional
+from typing import Optional, Union
 
 from django.apps import apps
 from django.db.models import F
 from django.utils import timezone
+from django_request_cache import cache_for_request
 
+from kobo.apps.organizations.models import Organization
+from kobo.apps.organizations.types import UsageType
+from kobo.apps.stripe.constants import USAGE_LIMIT_MAP
+from kobo.apps.stripe.utils import get_organization_plan_limit
 from kpi.utils.django_orm_helper import IncrementValue
+from kpi.utils.usage_calculator import ServiceUsageCalculator
 
 
 def update_nlp_counter(
@@ -24,9 +30,11 @@ def update_nlp_counter(
                 on the service
             user_id (int): id of the asset owner
             asset_id (int) or None: Primary key for Asset Model
+            counter_id (int) or None: Primary key for NLPUsageCounter instance
     """
     # Avoid circular import
     NLPUsageCounter = apps.get_model('trackers', 'NLPUsageCounter')  # noqa
+    organization = Organization.get_from_user_id(user_id)
 
     if not counter_id:
         date = timezone.now()
@@ -44,10 +52,69 @@ def update_nlp_counter(
     kwargs = {}
     if service.endswith('asr_seconds'):
         kwargs['total_asr_seconds'] = F('total_asr_seconds') + amount
+        if asset_id is not None and organization is not None:
+            handle_usage_deduction(organization, 'seconds', amount)
     if service.endswith('mt_characters'):
         kwargs['total_mt_characters'] = F('total_mt_characters') + amount
+        if asset_id is not None and organization is not None:
+            handle_usage_deduction(organization, 'characters', amount)
 
     NLPUsageCounter.objects.filter(pk=counter_id).update(
         counters=IncrementValue('counters', keyname=service, increment=amount),
         **kwargs,
     )
+
+
+@cache_for_request
+def get_organization_usage(organization: Organization, usage_type: UsageType) -> int:
+    """
+    Get the used amount for a given organization and usage type
+    """
+    usage_calc = ServiceUsageCalculator(
+        organization.owner.organization_user.user, organization, disable_cache=True
+    )
+    usage = usage_calc.get_nlp_usage_by_type(USAGE_LIMIT_MAP[usage_type])
+
+    return usage
+
+
+def get_organization_remaining_usage(
+    organization: Organization, usage_type: UsageType
+) -> Union[int, None]:
+    """
+    Get the organization remaining usage count for a given limit type
+    """
+    PlanAddOn = apps.get_model('stripe', 'PlanAddOn')  # noqa
+
+    plan_limit = get_organization_plan_limit(organization, usage_type)
+    if plan_limit is None:
+        plan_limit = 0
+    usage = get_organization_usage(organization, usage_type)
+    addon_limit, addon_remaining = PlanAddOn.get_organization_totals(
+        organization,
+        usage_type,
+    )
+    plan_remaining = max(0, plan_limit - usage)  # if negative, they have 0 remaining
+    total_remaining = addon_remaining + plan_remaining
+
+    return total_remaining
+
+
+def handle_usage_deduction(
+    organization: Organization, usage_type: UsageType, amount: int
+):
+    """
+    Deducts the specified usage type for this organization by the given amount
+    """
+    PlanAddOn = apps.get_model('stripe', 'PlanAddOn')
+
+    plan_limit = get_organization_plan_limit(organization, usage_type)
+    current_usage = get_organization_usage(organization, usage_type)
+    if current_usage is None:
+        current_usage = 0
+    new_total_usage = current_usage + amount
+    if new_total_usage > plan_limit:
+        deduction = (
+            amount if current_usage >= plan_limit else new_total_usage - plan_limit
+        )
+        PlanAddOn.deduct_add_ons_for_organization(organization, usage_type, deduction)
diff --git a/kobo/settings/base.py b/kobo/settings/base.py
index 648c6e1b09..aab4661472 100644
--- a/kobo/settings/base.py
+++ b/kobo/settings/base.py
@@ -17,8 +17,9 @@
 from pymongo import MongoClient
 
 from kobo.apps.stripe.constants import FREE_TIER_EMPTY_DISPLAY, FREE_TIER_NO_THRESHOLDS
-from kpi.utils.json import LazyJSONSerializable
 from kpi.constants import PERM_DELETE_ASSET, PERM_MANAGE_ASSET
+from kpi.utils.json import LazyJSONSerializable
+
 from ..static_lists import EXTRA_LANG_INFO, SECTOR_CHOICE_DEFAULTS
 
 env = environ.Env()
diff --git a/kpi/backends.py b/kpi/backends.py
index 8fe4f65d3c..f1fb74429d 100644
--- a/kpi/backends.py
+++ b/kpi/backends.py
@@ -1,7 +1,7 @@
 # coding: utf-8
+from django.conf import settings
 from django.contrib.auth.backends import ModelBackend as DjangoModelBackend
 from django.contrib.auth.management import DEFAULT_DB_ALIAS
-from django.conf import settings
 
 from .utils.database import get_thread_local
 from .utils.object_permission import get_database_user
diff --git a/kpi/db_routers.py b/kpi/db_routers.py
index 43cb1cf83f..cc5ff1a709 100644
--- a/kpi/db_routers.py
+++ b/kpi/db_routers.py
@@ -1,10 +1,9 @@
 from django.conf import settings
 from django.contrib.auth.management import DEFAULT_DB_ALIAS
 
-from kobo.apps.openrosa.libs.constants import (
-    OPENROSA_APP_LABELS,
-)
+from kobo.apps.openrosa.libs.constants import OPENROSA_APP_LABELS
 from kpi.utils.database import get_thread_local
+
 from .constants import SHADOW_MODEL_APP_LABELS, SHARED_APP_LABELS
 from .exceptions import ReadOnlyModelError
 
diff --git a/kpi/deployment_backends/openrosa_backend.py b/kpi/deployment_backends/openrosa_backend.py
index 40f953e4dd..52680c42bb 100644
--- a/kpi/deployment_backends/openrosa_backend.py
+++ b/kpi/deployment_backends/openrosa_backend.py
@@ -15,6 +15,7 @@
 import requests
 from defusedxml import ElementTree as DET
 from django.conf import settings
+from django.core.cache.backends.base import InvalidCacheBackendError
 from django.core.files import File
 from django.core.files.base import ContentFile
 from django.db.models import F, Sum
@@ -66,12 +67,12 @@
 from kpi.models.asset_file import AssetFile
 from kpi.models.object_permission import ObjectPermission
 from kpi.models.paired_data import PairedData
-from kpi.utils.django_orm_helper import UpdateJSONFieldAttributes
 from kpi.utils.files import ExtendedContentFile
 from kpi.utils.log import logging
 from kpi.utils.mongo_helper import MongoHelper
 from kpi.utils.object_permission import get_database_user
 from kpi.utils.xml import fromstring_preserve_root_xmlns, xml_tostring
+
 from ..exceptions import BadFormatException
 from .base_backend import BaseDeploymentBackend
 from .kc_access.utils import assign_applicable_kc_permissions, kc_transaction_atomic
@@ -850,13 +851,16 @@ def rename_enketo_id_key(self, previous_owner_username: str):
         parsed_url = urlparse(settings.KOBOCAT_URL)
         domain_name = parsed_url.netloc
         asset_uid = self.asset.uid
-        enketo_redis_client = get_redis_connection('enketo_redis_main')
-
         try:
+            enketo_redis_client = get_redis_connection('enketo_redis_main')
             enketo_redis_client.rename(
                 src=f'or:{domain_name}/{previous_owner_username},{asset_uid}',
                 dst=f'or:{domain_name}/{self.asset.owner.username},{asset_uid}',
             )
+        except InvalidCacheBackendError:
+            # TODO: This handles the case when the cache is disabled and
+            # get_redis_connection fails, though we may need better error handling here
+            pass
         except redis.exceptions.ResponseError:
             # original does not exist, weird but don't raise a 500 for that
             pass
@@ -1259,19 +1263,13 @@ def xform_id_string(self):
     @contextmanager
     def suspend_submissions(user_ids: list[int]):
         UserProfile.objects.filter(user_id__in=user_ids).update(
-            metadata=UpdateJSONFieldAttributes(
-                'metadata',
-                updates={'submissions_suspended': True},
-            ),
+            submissions_suspended=True
         )
         try:
             yield
         finally:
             UserProfile.objects.filter(user_id__in=user_ids).update(
-                metadata=UpdateJSONFieldAttributes(
-                    'metadata',
-                    updates={'submissions_suspended': False},
-                ),
+                submissions_suspended=False
             )
 
     def transfer_submissions_ownership(self, previous_owner_username: str) -> bool:
diff --git a/kpi/filters.py b/kpi/filters.py
index 7b3eac83a9..81bcd96ca1 100644
--- a/kpi/filters.py
+++ b/kpi/filters.py
@@ -1,15 +1,7 @@
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import FieldError
-from django.db.models import (
-    Case,
-    Count,
-    F,
-    IntegerField,
-    Q,
-    Value,
-    When,
-)
+from django.db.models import Case, Count, F, IntegerField, Q, Value, When
 from django.db.models.query import QuerySet
 from django.utils.datastructures import MultiValueDictKeyError
 from rest_framework import filters
@@ -17,10 +9,10 @@
 
 from kpi.constants import (
     ASSET_SEARCH_DEFAULT_FIELD_LOOKUPS,
-    ASSET_STATUS_SHARED,
     ASSET_STATUS_DISCOVERABLE,
     ASSET_STATUS_PRIVATE,
     ASSET_STATUS_PUBLIC,
+    ASSET_STATUS_SHARED,
     PERM_DISCOVER_ASSET,
     PERM_PARTIAL_SUBMISSIONS,
     PERM_VIEW_ASSET,
@@ -33,7 +25,6 @@
 )
 from kpi.models.asset import AssetDeploymentStatus, UserAssetSubscription
 from kpi.utils.django_orm_helper import OrderCustomCharField
-from kpi.utils.query_parser import get_parsed_parameters, parse, ParseError
 from kpi.utils.object_permission import (
     get_anonymous_user,
     get_database_user,
@@ -41,6 +32,8 @@
     get_perm_ids_from_code_names,
 )
 from kpi.utils.permissions import is_user_anonymous
+from kpi.utils.query_parser import ParseError, get_parsed_parameters, parse
+
 from .models import Asset, ObjectPermission
 
 
@@ -417,9 +410,7 @@ def filter_queryset(self, request, queryset, view):
         if organization.is_admin_only(user):
             # Admins do not receive explicit permission assignments,
             # but they have the same access to assets as the organization owner.
-            org_assets = Asset.objects.filter(
-                owner=organization.owner_user_object
-            )
+            org_assets = Asset.objects.filter(owner=organization.owner_user_object)
         else:
             org_assets = Asset.objects.none()
 
diff --git a/kpi/mixins/object_permission.py b/kpi/mixins/object_permission.py
index a5f33b5909..81bc8e6b6c 100644
--- a/kpi/mixins/object_permission.py
+++ b/kpi/mixins/object_permission.py
@@ -16,15 +16,15 @@
 from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.project_views.models.project_view import ProjectView
 from kpi.constants import (
-    ASSET_TYPES_WITH_CHILDREN,
     ASSET_TYPE_SURVEY,
+    ASSET_TYPES_WITH_CHILDREN,
     PERM_FROM_KC_ONLY,
     PREFIX_PARTIAL_PERMS,
 )
 from kpi.deployment_backends.kc_access.utils import (
-    remove_applicable_kc_permissions,
     assign_applicable_kc_permissions,
     kc_transaction_atomic,
+    remove_applicable_kc_permissions,
 )
 from kpi.models.object_permission import ObjectPermission
 from kpi.utils.object_permission import (
@@ -581,9 +581,7 @@ def get_perms(self, user_obj: settings.AUTH_USER_MODEL) -> list[str]:
                 'codename', flat=True
             )
         )
-        project_views_perms = get_project_view_user_permissions_for_asset(
-            self, user
-        )
+        project_views_perms = get_project_view_user_permissions_for_asset(self, user)
 
         other_perms = []
         if self.owner and self.owner.organization.is_admin_only(user):
@@ -968,9 +966,7 @@ def __get_permissions_for_content_type(
         if codename__startswith is not None:
             filters['codename__startswith'] = codename__startswith
 
-        permissions = Permission.objects.filter(**filters).values_list(
-            'pk', 'codename'
-        )
+        permissions = Permission.objects.filter(**filters).values_list('pk', 'codename')
 
         return permissions
 
diff --git a/kpi/permissions.py b/kpi/permissions.py
index 18a70c8a2f..9ca6ed2fa1 100644
--- a/kpi/permissions.py
+++ b/kpi/permissions.py
@@ -284,12 +284,8 @@ def __init__(self, *args, **kwargs):
                 }
 
     def has_object_permission(self, request, view, obj):
-        if (
-            view.action == 'submission'
-            or (
-                view.action == 'retrieve'
-                and request.accepted_renderer.format == 'xml'
-            )
+        if view.action == 'submission' or (
+            view.action == 'retrieve' and request.accepted_renderer.format == 'xml'
         ):
             return True
 
diff --git a/kpi/serializers/v2/asset.py b/kpi/serializers/v2/asset.py
index 1ac3840738..1950771c18 100644
--- a/kpi/serializers/v2/asset.py
+++ b/kpi/serializers/v2/asset.py
@@ -64,6 +64,7 @@
     user_has_project_view_asset_perm,
     view_has_perm,
 )
+
 from .asset_export_settings import AssetExportSettingsSerializer
 from .asset_file import AssetFileSerializer
 from .asset_permission_assignment import AssetPermissionAssignmentSerializer
diff --git a/kpi/serializers/v2/service_usage.py b/kpi/serializers/v2/service_usage.py
index e82b160911..36adab02ff 100644
--- a/kpi/serializers/v2/service_usage.py
+++ b/kpi/serializers/v2/service_usage.py
@@ -107,6 +107,7 @@ class ServiceUsageSerializer(serializers.Serializer):
     current_month_end = serializers.SerializerMethodField()
     current_year_start = serializers.SerializerMethodField()
     current_year_end = serializers.SerializerMethodField()
+    last_updated = serializers.SerializerMethodField()
 
     def __init__(self, instance=None, data=empty, **kwargs):
         super().__init__(instance=instance, data=data, **kwargs)
@@ -131,6 +132,9 @@ def get_current_year_end(self, user):
     def get_current_year_start(self, user):
         return self.calculator.current_year_start.isoformat()
 
+    def get_last_updated(self, user):
+        return self.calculator.get_last_updated().isoformat()
+
     def get_total_nlp_usage(self, user):
         return self.calculator.get_nlp_usage_counters()
 
diff --git a/kpi/tests/api/v2/test_api_asset_permission_assignment.py b/kpi/tests/api/v2/test_api_asset_permission_assignment.py
index 122dab9716..9162bce1e4 100644
--- a/kpi/tests/api/v2/test_api_asset_permission_assignment.py
+++ b/kpi/tests/api/v2/test_api_asset_permission_assignment.py
@@ -24,9 +24,7 @@
 from kpi.utils.object_permission import get_anonymous_user
 
 
-class BaseApiAssetPermissionTestCase(
-    PermissionAssignmentTestCaseMixin, KpiTestCase
-):
+class BaseApiAssetPermissionTestCase(PermissionAssignmentTestCaseMixin, KpiTestCase):
     fixtures = ['test_data']
 
     URL_NAMESPACE = ROUTER_URL_NAMESPACE
diff --git a/kpi/tests/api/v2/test_api_assets.py b/kpi/tests/api/v2/test_api_assets.py
index 2680653313..034d551f8b 100644
--- a/kpi/tests/api/v2/test_api_assets.py
+++ b/kpi/tests/api/v2/test_api_assets.py
@@ -26,11 +26,11 @@
     BaseTestCase,
 )
 from kpi.tests.kpi_test_case import KpiTestCase
+from kpi.tests.utils.mixins import AssetFileTestCaseMixin
 from kpi.urls.router_api_v2 import URL_NAMESPACE as ROUTER_URL_NAMESPACE
 from kpi.utils.hash import calculate_hash
 from kpi.utils.object_permission import get_anonymous_user
 from kpi.utils.project_views import get_region_for_view
-from kpi.tests.utils.mixins import AssetFileTestCaseMixin
 
 
 class AssetListApiTests(BaseAssetTestCase):
diff --git a/kpi/tests/api/v2/test_api_collections.py b/kpi/tests/api/v2/test_api_collections.py
index d435ddc7f0..35e80cbc55 100644
--- a/kpi/tests/api/v2/test_api_collections.py
+++ b/kpi/tests/api/v2/test_api_collections.py
@@ -50,16 +50,12 @@ def test_create_collection(self):
         self.assertEqual(response.data['name'], 'my collection')
 
     def test_collection_detail(self):
-        url = reverse(
-            self._get_endpoint("asset-detail"), kwargs={"uid": self.coll.uid}
-        )
-        response = self.client.get(url, format="json")
-        self.assertEqual(response.data["name"], "test collection")
+        url = reverse(self._get_endpoint('asset-detail'), kwargs={'uid': self.coll.uid})
+        response = self.client.get(url, format='json')
+        self.assertEqual(response.data['name'], 'test collection')
 
     def test_collection_delete(self):
-        url = reverse(
-            self._get_endpoint("asset-detail"), kwargs={"uid": self.coll.uid}
-        )
+        url = reverse(self._get_endpoint('asset-detail'), kwargs={'uid': self.coll.uid})
         # DRF will return 200 if JSON format is not specified
         # FIXME: why is `format='json'` as a keyword argument not working?!
         # https://www.django-rest-framework.org/api-guide/testing/#using-the-format-argument
@@ -69,9 +65,7 @@ def test_collection_delete(self):
         self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
 
     def test_collection_rename(self):
-        url = reverse(
-            self._get_endpoint("asset-detail"), kwargs={"uid": self.coll.uid}
-        )
+        url = reverse(self._get_endpoint('asset-detail'), kwargs={'uid': self.coll.uid})
         response = self.client.get(url, format='json')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data['name'], 'test collection')
@@ -96,7 +90,7 @@ def test_collection_list(self):
 
     def test_collection_filtered_list(self):
 
-        another_user = User.objects.get(username="anotheruser")
+        another_user = User.objects.get(username='anotheruser')
         list_url = reverse(self._get_endpoint('asset-list'))
         block = Asset.objects.create(
             asset_type=ASSET_TYPE_BLOCK,
@@ -187,7 +181,7 @@ def test_collection_filtered_list(self):
         # Logged in as another user, retrieve public and discoverable collections.
         # Should have 1 because it returns all public collections no matter
         # if user has subscribed to it or not.
-        self.login_as_other_user(username="anotheruser", password="anotheruser")
+        self.login_as_other_user(username='anotheruser', password='anotheruser')
         query_string = 'status=public-discoverable&q=asset_type:collection'
         url = f'{list_url}?{query_string}'
         response = self.client.get(url)
@@ -220,7 +214,7 @@ def test_collection_filtered_list(self):
 
     def test_collection_statuses_and_access_types(self):
 
-        another_user = User.objects.get(username="anotheruser")
+        another_user = User.objects.get(username='anotheruser')
 
         public_collection = Asset.objects.create(
             asset_type=ASSET_TYPE_COLLECTION,
@@ -247,25 +241,19 @@ def test_collection_statuses_and_access_types(self):
         # Make `public_collection` and `subscribed_collection` public-discoverable
         public_collection.assign_perm(AnonymousUser(), PERM_DISCOVER_ASSET)
         subscribed_collection.assign_perm(AnonymousUser(), PERM_DISCOVER_ASSET)
-        shared_subscribed_collection.assign_perm(
-            AnonymousUser(), PERM_DISCOVER_ASSET
-        )
+        shared_subscribed_collection.assign_perm(AnonymousUser(), PERM_DISCOVER_ASSET)
 
         # Make `shared_collection` and `shared_subscribed_collection` shared
         shared_collection.assign_perm(self.someuser, PERM_VIEW_ASSET)
         shared_subscribed_collection.assign_perm(self.someuser, PERM_VIEW_ASSET)
 
         # Subscribe `someuser` to `subscribed_collection`.
-        subscription_url = reverse(
-            self._get_endpoint('userassetsubscription-list')
-        )
+        subscription_url = reverse(self._get_endpoint('userassetsubscription-list'))
         asset_detail_url = self.absolute_reverse(
             self._get_endpoint('asset-detail'),
             kwargs={'uid': subscribed_collection.uid},
         )
-        response = self.client.post(
-            subscription_url, data={'asset': asset_detail_url}
-        )
+        response = self.client.post(subscription_url, data={'asset': asset_detail_url})
         assert response.status_code == status.HTTP_201_CREATED
 
         # Subscribe `someuser` to `shared_subscribed_collection`.
@@ -273,9 +261,7 @@ def test_collection_statuses_and_access_types(self):
             self._get_endpoint('asset-detail'),
             kwargs={'uid': shared_subscribed_collection.uid},
         )
-        response = self.client.post(
-            subscription_url, data={'asset': asset_detail_url}
-        )
+        response = self.client.post(subscription_url, data={'asset': asset_detail_url})
         assert response.status_code == status.HTTP_201_CREATED
 
         list_url = reverse(self._get_endpoint('asset-list'))
@@ -307,10 +293,7 @@ def test_collection_statuses_and_access_types(self):
         for collection in response.data['results']:
             expected_collection = expected[collection.get('name')]
             assert expected_collection['status'] == collection['status']
-            assert (
-                expected_collection['access_types']
-                == collection['access_types']
-            )
+            assert expected_collection['access_types'] == collection['access_types']
 
     def test_collection_subscribe(self):
         public_collection = Asset.objects.create(
@@ -320,7 +303,7 @@ def test_collection_subscribe(self):
         )
         public_collection.assign_perm(AnonymousUser(), PERM_DISCOVER_ASSET)
 
-        self.login_as_other_user(username="anotheruser", password="anotheruser")
+        self.login_as_other_user(username='anotheruser', password='anotheruser')
 
         asset_list_url = reverse(self._get_endpoint('asset-list'))
         coll_list_url = f'{asset_list_url}?q=asset_type:collection'
@@ -363,13 +346,12 @@ def test_get_subscribed_collection(self):
         )
         public_collection.assign_perm(AnonymousUser(), PERM_DISCOVER_ASSET)
 
-        self.login_as_other_user(username="anotheruser", password="anotheruser")
+        self.login_as_other_user(username='anotheruser', password='anotheruser')
 
         asset_list_url = reverse(self._get_endpoint('asset-list'))
         coll_list_url = f'{asset_list_url}?q=asset_type:collection'
         sub_list_url = reverse(self._get_endpoint('userassetsubscription-list'))
-        subscrbd_coll_url = \
-            f"{asset_list_url}?q=parent__uid:{public_collection.uid}"
+        subscrbd_coll_url = f'{asset_list_url}?q=parent__uid:{public_collection.uid}'
         pub_coll_url = BaseTestCase.absolute_reverse(
             self._get_endpoint('asset-detail'),
             kwargs={'uid': public_collection.uid},
@@ -384,11 +366,11 @@ def test_get_subscribed_collection(self):
         data = {'asset': pub_coll_url}
         response = self.client.post(sub_list_url, data, format='json')
         self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        assert response.data["asset"] == pub_coll_url
+        assert response.data['asset'] == pub_coll_url
 
         # we should be able to get its children with its uid
         expected_child_uid = [
-            c for c in public_collection.children.values_list("uid", flat=True)
+            c for c in public_collection.children.values_list('uid', flat=True)
         ]
         response = self.client.get(subscrbd_coll_url)
         response_child_uid = [c['uid'] for c in response.data['results']]
@@ -403,14 +385,14 @@ def test_collection_unsubscribe(self):
         public_collection.assign_perm(AnonymousUser(), PERM_DISCOVER_ASSET)
 
         # subscribe with the ORM
-        another_user = User.objects.get(username="anotheruser")
+        another_user = User.objects.get(username='anotheruser')
         subscription = UserAssetSubscription.objects.create(
             user=another_user, asset=public_collection
         )
 
         asset_list_url = reverse(self._get_endpoint('asset-list'))
         coll_list_url = f'{asset_list_url}?q=asset_type:collection'
-        self.login_as_other_user(username="anotheruser", password="anotheruser")
+        self.login_as_other_user(username='anotheruser', password='anotheruser')
 
         # we should see the collection in our asset list
         response = self.client.get(coll_list_url)
@@ -434,7 +416,7 @@ def test_collection_unsubscribe(self):
         self.assertEqual(response.data['count'], 0)
 
     def test_collection_cannot_subscribe_if_not_public(self):
-        self.login_as_other_user(username="anotheruser", password="anotheruser")
+        self.login_as_other_user(username='anotheruser', password='anotheruser')
         asset_list_url = reverse(self._get_endpoint('asset-list'))
         coll_list_url = f'{asset_list_url}?q=asset_type:collection'
         sub_list_url = reverse(self._get_endpoint('userassetsubscription-list'))
diff --git a/kpi/tests/api/v2/test_api_permissions.py b/kpi/tests/api/v2/test_api_permissions.py
index b71f979b61..ff63d5b49b 100644
--- a/kpi/tests/api/v2/test_api_permissions.py
+++ b/kpi/tests/api/v2/test_api_permissions.py
@@ -11,8 +11,8 @@
 )
 from kpi.models import Asset, ObjectPermission
 from kpi.tests.kpi_test_case import KpiTestCase
-from kpi.urls.router_api_v2 import URL_NAMESPACE as ROUTER_URL_NAMESPACE
 from kpi.tests.utils.mixins import PermissionAssignmentTestCaseMixin
+from kpi.urls.router_api_v2 import URL_NAMESPACE as ROUTER_URL_NAMESPACE
 from kpi.utils.object_permission import get_anonymous_user
 
 
@@ -50,8 +50,11 @@ def test_cannot_create_asset(self):
         url = reverse(self._get_endpoint('asset-list'))
         data = {'name': 'my asset', 'content': ''}
         response = self.client.post(url, data, format='json')
-        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED,
-                         msg="anonymous user cannot create a asset")
+        self.assertEqual(
+            response.status_code,
+            status.HTTP_401_UNAUTHORIZED,
+            msg='anonymous user cannot create a asset',
+        )
 
 
 class ApiPermissionsPublicAssetTestCase(KpiTestCase):
@@ -658,9 +661,7 @@ def test_inherited_viewable_collection_not_deletable(self):
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
 
-class ApiAssignedPermissionsTestCase(
-    PermissionAssignmentTestCaseMixin, KpiTestCase
-):
+class ApiAssignedPermissionsTestCase(PermissionAssignmentTestCaseMixin, KpiTestCase):
     """
     An obnoxiously large amount of code to test that the endpoint for listing
     assigned permissions complies with the following rules:
@@ -711,9 +712,7 @@ def test_anon_only_sees_owner_and_anon_permissions(self):
                     kwargs={'username': username},
                 )
             )
-        self.assertSetEqual(
-            set((a['user'] for a in response.data)), set(user_urls)
-        )
+        self.assertSetEqual(set(a['user'] for a in response.data), set(user_urls))
 
     def test_user_sees_relevant_permissions_on_assigned_objects(self):
         # A user with explicitly-assigned permissions should see their
diff --git a/kpi/tests/api/v2/test_api_service_usage.py b/kpi/tests/api/v2/test_api_service_usage.py
index 68af6b2bbb..60a159cc29 100644
--- a/kpi/tests/api/v2/test_api_service_usage.py
+++ b/kpi/tests/api/v2/test_api_service_usage.py
@@ -1,3 +1,4 @@
+from django.test import override_settings
 from django.urls import reverse
 from rest_framework import status
 
@@ -42,9 +43,7 @@ def test_check_api_response(self):
         assert (
             response.data['total_nlp_usage']['mt_characters_all_time'] == 6726
         )
-        assert (
-            response.data['total_storage_bytes'] == self.expected_file_size()
-        )
+        assert response.data['total_storage_bytes'] == self.expected_file_size()
 
     def test_multiple_forms(self):
         """
@@ -65,6 +64,9 @@ def test_multiple_forms(self):
             self.expected_file_size() * 3
         )
 
+    @override_settings(
+        CACHES={'default': {'BACKEND': 'django.core.cache.backends.dummy.DummyCache'}}
+    )
     def test_service_usages_with_projects_in_trash_bin(self):
         self.test_multiple_forms()
         # Simulate trash bin
diff --git a/kpi/tests/api/v2/test_api_submissions.py b/kpi/tests/api/v2/test_api_submissions.py
index 890f881a27..bef58c8479 100644
--- a/kpi/tests/api/v2/test_api_submissions.py
+++ b/kpi/tests/api/v2/test_api_submissions.py
@@ -5,8 +5,6 @@
 import string
 import uuid
 from datetime import datetime
-from zoneinfo import ZoneInfo
-
 from unittest import mock
 
 import lxml
@@ -16,6 +14,7 @@
 from django.urls import reverse
 from django_digest.test import Client as DigestClient
 from rest_framework import status
+from zoneinfo import ZoneInfo
 
 from kobo.apps.audit_log.models import AuditLog, AuditType
 from kobo.apps.kobo_auth.shortcuts import User
diff --git a/kpi/tests/base_test_case.py b/kpi/tests/base_test_case.py
index 9955115b0f..7b066bc494 100644
--- a/kpi/tests/base_test_case.py
+++ b/kpi/tests/base_test_case.py
@@ -10,6 +10,7 @@
 from kobo.apps.kobo_auth.shortcuts import User
 from kpi.models.asset import Asset
 from kpi.models.object_permission import ObjectPermission
+
 # `baker_generators` needs to be imported to give baker extra support
 from kpi.tests.utils import baker_generators  # noqa
 from kpi.urls.router_api_v2 import URL_NAMESPACE as ROUTER_URL_NAMESPACE
@@ -75,9 +76,7 @@ class BaseAssetTestCase(BaseTestCase):
 
     EMPTY_SURVEY = {'survey': [], 'schema': SCHEMA_VERSION, 'settings': {}}
 
-    def create_asset(
-        self, asset_type='survey', content: dict = None, name: str = None
-    ):
+    def create_asset(self, asset_type='survey', content: dict = None, name: str = None):
         """
         Create a new, empty asset as the currently logged-in user
         """
diff --git a/kpi/tests/kpi_test_case.py b/kpi/tests/kpi_test_case.py
index 0bd4dcdce5..659311fd1e 100644
--- a/kpi/tests/kpi_test_case.py
+++ b/kpi/tests/kpi_test_case.py
@@ -7,10 +7,12 @@
 from rest_framework import status
 
 from kpi.constants import ASSET_TYPE_COLLECTION
+
+from ..models.asset import Asset
+
 # FIXME: Remove the following line when the permissions API is in place.
 from .base_test_case import BaseTestCase
 from .test_permissions import BasePermissionsTestCase
-from ..models.asset import Asset
 
 
 class KpiTestCase(BaseTestCase, BasePermissionsTestCase):
diff --git a/kpi/tests/test_cache_utils.py b/kpi/tests/test_cache_utils.py
new file mode 100644
index 0000000000..c2e74fdbb0
--- /dev/null
+++ b/kpi/tests/test_cache_utils.py
@@ -0,0 +1,55 @@
+from json import dumps, loads
+from unittest.mock import patch
+
+from kpi.utils.cache import CachedClass, cached_class_property
+
+
+class MockCachedClass(CachedClass):
+    CACHE_TTL = 10
+
+    def __init__(self):
+        self._setup_cache()
+        self.counter = 0
+        self.dict_value = {'value': 0, 'other_value': 'test'}
+
+    def _get_cache_hash(self):
+        return 'test'
+
+    @cached_class_property(key='dict_value', serializer=dumps, deserializer=loads)
+    def get_dict(self):
+        self.dict_value['value'] += 1
+        return self.dict_value
+
+    @cached_class_property(key='int_value', serializer=str, deserializer=int)
+    def get_number(self):
+        self.counter += 1
+        return self.counter
+
+
+def test_cached_class_int_property():
+    instance = MockCachedClass()
+    instance._clear_cache()
+    assert instance.get_number() == 1
+    assert instance.get_number() == 1
+    instance._clear_cache()
+    assert instance.get_number() == 2
+
+
+def test_cached_class_dict_property():
+    instance = MockCachedClass()
+    instance._clear_cache()
+    assert instance.get_dict() == {'value': 1, 'other_value': 'test'}
+    assert instance.get_dict()['value'] == 1
+    instance._clear_cache()
+    assert instance.get_dict()['value'] == 2
+
+
+def clear_mock_cache(self):
+    self._clear_cache()
+
+
+@patch('kpi.utils.cache.CachedClass._handle_cache_expiration', clear_mock_cache)
+def test_override_cache():
+    instance = MockCachedClass()
+    assert instance.get_dict()['value'] == 1
+    assert instance.get_dict()['value'] == 2
diff --git a/kpi/tests/test_permissions.py b/kpi/tests/test_permissions.py
index 15b5fa3f2e..337d7833c5 100644
--- a/kpi/tests/test_permissions.py
+++ b/kpi/tests/test_permissions.py
@@ -1,5 +1,6 @@
 # coding: utf-8
 import unittest
+
 from django.contrib.auth.models import AnonymousUser
 from django.test import TestCase
 
@@ -21,6 +22,7 @@
 )
 from kpi.exceptions import BadPermissionsException
 from kpi.utils.object_permission import get_all_objects_for_user
+
 from ..models import ObjectPermission
 from ..models.asset import Asset
 
@@ -862,9 +864,7 @@ def test_user_without_perms_get_anonymous_perms(self):
         self.assertFalse(anonymous_user.has_perm(PERM_VIEW_SUBMISSIONS, asset))
         asset.assign_perm(anonymous_user, PERM_VIEW_SUBMISSIONS)
         self.assertTrue(grantee.has_perm(PERM_VIEW_SUBMISSIONS, asset))
-        self.assertTrue(
-            asset.get_perms(grantee), asset.get_perms(anonymous_user)
-        )
+        self.assertTrue(asset.get_perms(grantee), asset.get_perms(anonymous_user))
 
     def test_org_admin_inherited_and_implied_permissions(self):
         """
diff --git a/kpi/tests/test_usage_calculator.py b/kpi/tests/test_usage_calculator.py
index 8c4b455082..e8a86fe7b8 100644
--- a/kpi/tests/test_usage_calculator.py
+++ b/kpi/tests/test_usage_calculator.py
@@ -3,6 +3,7 @@
 
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
+from django.core.cache import cache
 from django.test import override_settings
 from django.urls import reverse
 from django.utils import timezone
@@ -10,6 +11,7 @@
 
 from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.organizations.models import Organization
+from kobo.apps.stripe.constants import USAGE_LIMIT_MAP
 from kobo.apps.stripe.tests.utils import generate_enterprise_subscription
 from kobo.apps.trackers.models import NLPUsageCounter
 from kpi.models import Asset
@@ -31,6 +33,7 @@ class BaseServiceUsageTestCase(BaseAssetTestCase):
     def setUp(self):
         super().setUp()
         self.client.login(username='anotheruser', password='anotheruser')
+        cache.clear()
 
     @classmethod
     def setUpTestData(cls):
@@ -158,6 +161,20 @@ def setUp(self):
         self.add_nlp_trackers()
         self.add_submissions(count=5)
 
+    def test_disable_cache(self):
+        calculator = ServiceUsageCalculator(self.anotheruser, None, disable_cache=True)
+        nlp_usage_A = calculator.get_nlp_usage_counters()
+        self.add_nlp_trackers()
+        nlp_usage_B = calculator.get_nlp_usage_counters()
+        assert (
+            2 * nlp_usage_A['asr_seconds_current_month']
+            == nlp_usage_B['asr_seconds_current_month']
+        )
+        assert (
+            2 * nlp_usage_A['mt_characters_current_month']
+            == nlp_usage_B['mt_characters_current_month']
+        )
+
     def test_nlp_usage_counters(self):
         calculator = ServiceUsageCalculator(self.anotheruser, None)
         nlp_usage = calculator.get_nlp_usage_counters()
@@ -166,16 +183,6 @@ def test_nlp_usage_counters(self):
         assert nlp_usage['mt_characters_current_month'] == 5473
         assert nlp_usage['mt_characters_all_time'] == 6726
 
-    def test_storage_usage(self):
-        calculator = ServiceUsageCalculator(self.anotheruser, None)
-        assert calculator.get_storage_usage() == 5 * self.expected_file_size()
-
-    def test_submission_counters(self):
-        calculator = ServiceUsageCalculator(self.anotheruser, None)
-        submission_counters = calculator.get_submission_counters()
-        assert submission_counters['current_month'] == 5
-        assert submission_counters['all_time'] == 5
-
     def test_no_data(self):
         calculator = ServiceUsageCalculator(self.someuser, None)
         nlp_usage = calculator.get_nlp_usage_counters()
@@ -208,3 +215,16 @@ def test_organization_setup(self):
         assert nlp_usage['mt_characters_all_time'] == 6726
 
         assert calculator.get_storage_usage() == 5 * self.expected_file_size()
+
+        assert calculator.get_nlp_usage_by_type(USAGE_LIMIT_MAP['characters']) == 5473
+        assert calculator.get_nlp_usage_by_type(USAGE_LIMIT_MAP['seconds']) == 4586
+
+    def test_storage_usage(self):
+        calculator = ServiceUsageCalculator(self.anotheruser, None)
+        assert calculator.get_storage_usage() == 5 * self.expected_file_size()
+
+    def test_submission_counters(self):
+        calculator = ServiceUsageCalculator(self.anotheruser, None)
+        submission_counters = calculator.get_submission_counters()
+        assert submission_counters['current_month'] == 5
+        assert submission_counters['all_time'] == 5
diff --git a/kpi/tests/utils/mixins.py b/kpi/tests/utils/mixins.py
index 96f4e3158a..14b3ec7f61 100644
--- a/kpi/tests/utils/mixins.py
+++ b/kpi/tests/utils/mixins.py
@@ -35,9 +35,7 @@ def asset_file_payload(self):
             'metadata': json.dumps({'source': 'http://geojson.org/'}),
         }
 
-    def create_asset_file(
-        self, payload=None, status_code=status.HTTP_201_CREATED
-    ):
+    def create_asset_file(self, payload=None, status_code=status.HTTP_201_CREATED):
         payload = self.asset_file_payload if payload is None else payload
 
         response = self.client.get(self.list_url)
@@ -93,9 +91,7 @@ def verify_asset_file(self, response, payload=None, form_media=False):
         response_metadata.pop('mimetype', None)
         response_metadata.pop('hash', None)
 
-        self.assertEqual(
-            json.dumps(response_metadata), posted_payload['metadata']
-        )
+        self.assertEqual(json.dumps(response_metadata), posted_payload['metadata'])
         for field in 'file_type', 'description':
             self.assertEqual(response_dict[field], posted_payload[field])
 
@@ -180,12 +176,11 @@ def _delete_submissions(self):
 class SubmissionEditTestCaseMixin:
 
     def _get_edit_link(self):
-        ee_url = (
-            f'{settings.ENKETO_URL}/{settings.ENKETO_EDIT_INSTANCE_ENDPOINT}'
-        )
+        ee_url = f'{settings.ENKETO_URL}/{settings.ENKETO_EDIT_INSTANCE_ENDPOINT}'
         # Mock Enketo response
         responses.add_callback(
-            responses.POST, ee_url,
+            responses.POST,
+            ee_url,
             callback=enketo_edit_instance_response,
             content_type='application/json',
         )
@@ -250,9 +245,7 @@ def _delete_statuses(self):
     def _update_status(
         self, username: str, status_uid: str = 'validation_status_not_approved'
     ):
-        data = {
-            'validation_status.uid': status_uid
-        }
+        data = {'validation_status.uid': status_uid}
         response = self.client.patch(self.validation_status_url, data=data)
         assert response.status_code == status.HTTP_200_OK
 
@@ -283,9 +276,7 @@ def _validate_statuses(
         assert response.status_code == status.HTTP_200_OK
 
         if empty:
-            statuses = [
-                not s['_validation_status'] for s in response.data['results']
-            ]
+            statuses = [not s['_validation_status'] for s in response.data['results']]
         else:
             statuses = [
                 s['_validation_status']['uid'] == uid
@@ -299,13 +290,12 @@ def _validate_statuses(
 class SubmissionViewTestCaseMixin:
 
     def _get_view_link(self):
-        ee_url = (
-            f'{settings.ENKETO_URL}/{settings.ENKETO_VIEW_INSTANCE_ENDPOINT}'
-        )
+        ee_url = f'{settings.ENKETO_URL}/{settings.ENKETO_VIEW_INSTANCE_ENDPOINT}'
 
         # Mock Enketo response
         responses.add_callback(
-            responses.POST, ee_url,
+            responses.POST,
+            ee_url,
             callback=enketo_view_instance_response,
             content_type='application/json',
         )
@@ -333,7 +323,7 @@ class PermissionAssignmentTestCaseMixin:
     def get_asset_perm_assignment_list_url(self, asset):
         return reverse(
             self._get_endpoint('asset-permission-assignment-list'),
-            kwargs={'parent_lookup_asset': asset.uid}
+            kwargs={'parent_lookup_asset': asset.uid},
         )
 
     def get_urls_for_asset_perm_assignment_objs(self, perm_assignments, asset):
diff --git a/kpi/utils/cache.py b/kpi/utils/cache.py
index 3fe3af1b6b..d2cb5f5189 100644
--- a/kpi/utils/cache.py
+++ b/kpi/utils/cache.py
@@ -1,7 +1,9 @@
-# -*- coding: utf-8 -*-
+from datetime import timedelta
 from functools import wraps
 
-from django_request_cache import get_request_cache
+from django.utils import timezone
+from django_redis import get_redis_connection
+from django_request_cache import cache_for_request, get_request_cache
 
 
 def void_cache_for_request(keys):
@@ -14,6 +16,7 @@ def void_cache_for_request(keys):
         keys (tuple): Substrings to be searched for
 
     """
+
     def _void_cache_for_request(func):
         @wraps(func)
         def wrapper(*args, **kwargs):
@@ -27,5 +30,104 @@ def wrapper(*args, **kwargs):
                     if key.startswith(prefixed_keys):
                         delattr(cache, key)
             return func(*args, **kwargs)
+
         return wrapper
+
     return _void_cache_for_request
+
+
+class CachedClass:
+    """
+    Handles a mapping cache for a class. It supports only getter methods that
+    receive no parameters but the self.
+
+    The inheriting class must define a function _get_cache_hash that creates a
+    unique name string for the underlying HSET.
+
+    The inheriting class should call self._setup_cache() at __init__
+
+    The TTL is configured through the class property CACHE_TTL.
+
+    This class must be used with the decorator defined below,
+    cached_class_property, which will be used to specify what class methods are
+    cached.
+    """
+
+    CACHE_TTL = None
+
+    @cache_for_request
+    def _cache_last_updated(self):
+        if not self._cache_available:
+            return timezone.now()
+
+        remaining_seconds = self._redis_client.ttl(self._cache_hash_str)
+        return timezone.now() - timedelta(seconds=self.CACHE_TTL - remaining_seconds)
+
+    def _clear_cache(self):
+        if not self._cache_available:
+            return
+
+        self._redis_client.delete(self._cache_hash_str)
+        self._cached_hset = {}
+
+    def _handle_cache_expiration(self):
+        """
+        Checks if the hset is initialized, and initializes if necessary
+        """
+        if not self._cache_available:
+            return
+
+        if not self._cached_hset.get(b'__initialized__'):
+            self._redis_client.hset(self._cache_hash_str, '__initialized__', 'True')
+            self._redis_client.expire(self._cache_hash_str, self.CACHE_TTL)
+            self._cached_hset[b'__initialized__'] = True
+
+    def _setup_cache(self):
+        """
+        Sets up the cache client and the cache hash name for the hset
+        """
+        if getattr(self, '_cache_available', None) is False:
+            return
+
+        self._redis_client = None
+        self._cache_available = True
+        self._cached_hset = {}
+        try:
+            self._redis_client = get_redis_connection('default')
+        except NotImplementedError:
+            self._cache_available = False
+            return
+
+        self._cache_hash_str = self._get_cache_hash()
+        assert self.CACHE_TTL > 0, 'Set a valid value for CACHE_TTL'
+        self._cached_hset = self._redis_client.hgetall(self._cache_hash_str)
+        self._handle_cache_expiration()
+
+
+def cached_class_property(key, serializer=str, deserializer=str):
+    """
+    Function decorator that takes a key to store/retrieve a cached key value and
+    serializer and deserializer functions to convert the value for storage or
+    retrieval, respectively.
+    """
+
+    def cached_key_getter(func):
+        def wrapper(self):
+            if getattr(self, '_cache_available', None) is False:
+                return func(self)
+
+            self._handle_cache_expiration()
+            value = self._cached_hset.get(key.encode())
+            if value is None:
+                value = func(self)
+                serialized_value = serializer(value)
+                self._redis_client.hset(self._cache_hash_str, key, serialized_value)
+                self._cached_hset[key.encode()] = serialized_value
+            else:
+                value = deserializer(value)
+
+            return value
+
+        return wrapper
+
+    return cached_key_getter
diff --git a/kpi/utils/django_orm_helper.py b/kpi/utils/django_orm_helper.py
index 57e2dd55ee..ffd8b0b471 100644
--- a/kpi/utils/django_orm_helper.py
+++ b/kpi/utils/django_orm_helper.py
@@ -1,9 +1,8 @@
 from __future__ import annotations
 
 import json
-from typing import Optional, Literal
 
-from django.db.models import Lookup, Field
+from django.db.models import Field, Lookup
 from django.db.models.expressions import Func, Value
 
 
@@ -40,6 +39,31 @@ def __init__(self, expression: str, keyname: str, increment: int, **extra):
         )
 
 
+class DeductUsageValue(Func):
+
+    function = 'jsonb_set'
+    usage_value = "COALESCE(%(expressions)s ->> '%(keyname)s', '0')::int"
+    template = (
+        '%(function)s(%(expressions)s,'
+        '\'{"%(keyname)s"}\','
+        '('
+        f'CASE WHEN {usage_value} > %(amount)s '
+        f'THEN {usage_value} - %(amount)s '
+        'ELSE 0 '
+        'END '
+        ')::text::jsonb)'
+    )
+    arity = 1
+
+    def __init__(self, expression: str, keyname: str, amount: int, **extra):
+        super().__init__(
+            expression,
+            keyname=keyname,
+            amount=amount,
+            **extra,
+        )
+
+
 class OrderCustomCharField(Func):
     """
     DO NOT use on fields other than CharField while the application maintains
@@ -87,7 +111,7 @@ class RemoveJSONFieldAttribute(Func):
     """
 
     arg_joiner = ' #- '
-    template = "%(expressions)s"
+    template = '%(expressions)s'
     arity = 2
 
     def __init__(
@@ -116,7 +140,7 @@ class UpdateJSONFieldAttributes(Func):
     > structure is merged
     """
     arg_joiner = ' || '
-    template = "%(expressions)s"
+    template = '%(expressions)s'
     arity = 2
 
     def __init__(
diff --git a/kpi/utils/usage_calculator.py b/kpi/utils/usage_calculator.py
index eaf4aacca0..12ea46b8dc 100644
--- a/kpi/utils/usage_calculator.py
+++ b/kpi/utils/usage_calculator.py
@@ -1,5 +1,7 @@
+from json import dumps, loads
 from typing import Optional
 
+from django.apps import apps
 from django.conf import settings
 from django.db.models import Q, Sum
 from django.db.models.functions import Coalesce
@@ -7,20 +9,26 @@
 
 from kobo.apps.kobo_auth.shortcuts import User
 from kobo.apps.openrosa.apps.logger.models import DailyXFormSubmissionCounter, XForm
-from kobo.apps.organizations.models import Organization
 from kobo.apps.organizations.utils import (
     get_monthly_billing_dates,
     get_yearly_billing_dates,
 )
 from kobo.apps.stripe.constants import ACTIVE_STRIPE_STATUSES
-from kobo.apps.trackers.models import NLPUsageCounter
+from kpi.utils.cache import CachedClass, cached_class_property
 
 
-class ServiceUsageCalculator:
-    def __init__(self, user: User, organization: Optional[Organization]):
+class ServiceUsageCalculator(CachedClass):
+    CACHE_TTL = settings.ENDPOINT_CACHE_DURATION
+
+    def __init__(
+        self,
+        user: User,
+        organization: Optional['Organization'],
+        disable_cache: bool = False,
+    ):
         self.user = user
         self.organization = organization
-
+        self._cache_available = not disable_cache
         self._user_ids = [user.pk]
         self._user_id_query = self._filter_by_user([user.pk])
         if organization and settings.STRIPE_ENABLED:
@@ -50,14 +58,38 @@ def __init__(self, user: User, organization: Optional[Organization]):
         )
         self.current_month_filter = Q(date__range=[self.current_month_start, now])
         self.current_year_filter = Q(date__range=[self.current_year_start, now])
+        self._setup_cache()
 
-    def _filter_by_user(self, user_ids: list) -> Q:
-        """
-        Turns a list of user ids into a query object to filter by
+    def get_nlp_usage_by_type(self, usage_key: str) -> int:
+        """Returns the usage for a given organization and usage key. The usage key
+        should be the value from the USAGE_LIMIT_MAP found in the stripe kobo app.
         """
-        return Q(user_id__in=user_ids)
+        if self.organization is None:
+            return None
+
+        billing_details = self.organization.active_subscription_billing_details()
+        if not billing_details:
+            return None
+
+        interval = billing_details['recurring_interval']
+        nlp_usage = self.get_nlp_usage_counters()
+
+        cached_usage = {
+            'asr_seconds': nlp_usage[f'asr_seconds_current_{interval}'],
+            'mt_characters': nlp_usage[f'mt_characters_current_{interval}'],
+        }
+
+        return cached_usage[usage_key]
 
+    def get_last_updated(self):
+        return self._cache_last_updated()
+
+    @cached_class_property(
+        key='nlp_usage_counters', serializer=dumps, deserializer=loads
+    )
     def get_nlp_usage_counters(self):
+        NLPUsageCounter = apps.get_model('trackers', 'NLPUsageCounter')  # noqa
+
         nlp_tracking = (
             NLPUsageCounter.objects.only(
                 'date', 'total_asr_seconds', 'total_mt_characters'
@@ -90,6 +122,7 @@ def get_nlp_usage_counters(self):
 
         return total_nlp_usage
 
+    @cached_class_property(key='storage_usage', serializer=str, deserializer=int)
     def get_storage_usage(self):
         """
         Get the storage used by non-(soft-)deleted projects for all users
@@ -108,6 +141,9 @@ def get_storage_usage(self):
 
         return total_storage_bytes['bytes_sum'] or 0
 
+    @cached_class_property(
+        key='submission_counters', serializer=dumps, deserializer=loads
+    )
     def get_submission_counters(self):
         """
         Calculate submissions for all users' projects even their deleted ones
@@ -133,3 +169,15 @@ def get_submission_counters(self):
             total_submission_count[submission_key] = count if count is not None else 0
 
         return total_submission_count
+
+    def _get_cache_hash(self):
+        if self.organization is None:
+            return f'user-{self.user.id}'
+        else:
+            return f'organization-{self.organization.id}'
+
+    def _filter_by_user(self, user_ids: list) -> Q:
+        """
+        Turns a list of user ids into a query object to filter by
+        """
+        return Q(user_id__in=user_ids)
diff --git a/kpi/views/v2/asset.py b/kpi/views/v2/asset.py
index 829302b6fe..1af06ba083 100644
--- a/kpi/views/v2/asset.py
+++ b/kpi/views/v2/asset.py
@@ -559,9 +559,7 @@ def get_object_override(self):
         # content, not previous versions. Previous versions are handled in
         # `kobo.apps.reports.report_data.build_formpack()`
         if self.request.method == 'GET':
-            repair_file_column_content_and_save(
-                asset, include_versions=False
-            )
+            repair_file_column_content_and_save(asset, include_versions=False)
 
         return asset
 
diff --git a/kpi/views/v2/asset_snapshot.py b/kpi/views/v2/asset_snapshot.py
index efbae3f12b..de47f30fc2 100644
--- a/kpi/views/v2/asset_snapshot.py
+++ b/kpi/views/v2/asset_snapshot.py
@@ -74,11 +74,8 @@ def filter_queryset(self, queryset):
             if not user.is_anonymous:
                 owned_snapshots = queryset.filter(owner=user)
 
-            return (
-                owned_snapshots
-                | RelatedAssetPermissionsFilter().filter_queryset(
-                    self.request, queryset, view=self
-                )
+            return owned_snapshots | RelatedAssetPermissionsFilter().filter_queryset(
+                self.request, queryset, view=self
             )
 
     @action(
@@ -103,9 +100,11 @@ def form_list(self, request, *args, **kwargs):
 
     def get_object(self):
         try:
-            snapshot = self.queryset.select_related('asset').defer(
-                'asset__content'
-            ).get(uid=self.kwargs[self.lookup_field])
+            snapshot = (
+                self.queryset.select_related('asset')
+                .defer('asset__content')
+                .get(uid=self.kwargs[self.lookup_field])
+            )
         except AssetSnapshot.DoesNotExist:
             raise Http404
 

From eb921235782d02e1d588ea4a809d849ccf89ffdc Mon Sep 17 00:00:00 2001
From: Leszek Pietrzak <leszek@magicznyleszek.xyz>
Date: Thu, 14 Nov 2024 17:42:06 +0100
Subject: [PATCH 6/8] fix(InlineMessage): link styles (#5267)

Links inside `InlineMessage` are now dark blue with underline on hover.
---
 jsapp/js/components/common/inlineMessage.scss | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/jsapp/js/components/common/inlineMessage.scss b/jsapp/js/components/common/inlineMessage.scss
index 91a6e95f36..3331b59ecc 100644
--- a/jsapp/js/components/common/inlineMessage.scss
+++ b/jsapp/js/components/common/inlineMessage.scss
@@ -13,11 +13,11 @@
   line-height: 22px;
 
   a {
-    text-decoration: underline;
-    color: inherit;
+    text-decoration: none;
+    color: colors.$kobo-dark-blue;
 
     &:hover {
-      text-decoration: none;
+      text-decoration: underline;
     }
   }
 

From 699114bf5fee58478553ecb7478711dd63e4aa4a Mon Sep 17 00:00:00 2001
From: Leszek Pietrzak <leszek@magicznyleszek.xyz>
Date: Thu, 14 Nov 2024 18:20:57 +0100
Subject: [PATCH 7/8] feat(organization): add new route for organization
 projects TASK-975 (#5240)

Make it possible to view your organization projects in a table.

Add new route for viewing your organization projects at
`#/projects/organization`. Make it possible to switch into the new route
through the View Switcher UI element.
---
 jsapp/js/api.endpoints.ts                     |  1 +
 jsapp/js/projects/myOrgProjectsRoute.tsx      | 52 +++++++++++++++++++
 jsapp/js/projects/projectViews/constants.ts   |  5 ++
 .../js/projects/projectViews/viewSwitcher.tsx | 36 ++++++++++---
 jsapp/js/projects/routes.tsx                  | 17 ++++++
 jsapp/js/router/router.tsx                    |  2 +-
 jsapp/js/router/routerConstants.ts            |  5 ++
 7 files changed, 111 insertions(+), 7 deletions(-)
 create mode 100644 jsapp/js/projects/myOrgProjectsRoute.tsx

diff --git a/jsapp/js/api.endpoints.ts b/jsapp/js/api.endpoints.ts
index 8dc21499db..a60fcbd328 100644
--- a/jsapp/js/api.endpoints.ts
+++ b/jsapp/js/api.endpoints.ts
@@ -1,5 +1,6 @@
 export const endpoints = {
   ASSET_URL: '/api/v2/assets/:uid/',
+  ORG_ASSETS_URL: '/api/v2/organizations/:organization_id/assets/',
   ME_URL: '/me/',
   PRODUCTS_URL: '/api/v2/stripe/products/',
   SUBSCRIPTION_URL: '/api/v2/stripe/subscriptions/',
diff --git a/jsapp/js/projects/myOrgProjectsRoute.tsx b/jsapp/js/projects/myOrgProjectsRoute.tsx
new file mode 100644
index 0000000000..8b8bc80119
--- /dev/null
+++ b/jsapp/js/projects/myOrgProjectsRoute.tsx
@@ -0,0 +1,52 @@
+// Libraries
+import React, {useState, useEffect} from 'react';
+
+// Partial components
+import UniversalProjectsRoute from './universalProjectsRoute';
+import LoadingSpinner from 'js/components/common/loadingSpinner';
+
+// Stores, hooks and utilities
+import {useOrganizationQuery} from 'js/account/stripe.api';
+
+// Constants and types
+import {
+  ORG_VIEW,
+  HOME_ORDERABLE_FIELDS,
+  HOME_DEFAULT_VISIBLE_FIELDS,
+  HOME_EXCLUDED_FIELDS,
+} from './projectViews/constants';
+import {ROOT_URL} from 'js/constants';
+import {endpoints} from 'js/api.endpoints';
+
+/**
+ * Component responsible for rendering organization projects route
+ * (`#/organization/projects`).
+ */
+export default function MyOrgProjectsRoute() {
+  const orgQuery = useOrganizationQuery();
+  const [apiUrl, setApiUrl] = useState<string | null>(null);
+
+  // We need to load organization data to build the api url.
+  useEffect(() => {
+    if (orgQuery.data) {
+      setApiUrl(endpoints.ORG_ASSETS_URL.replace(':organization_id', orgQuery.data.id));
+    }
+  }, [orgQuery.data]);
+
+  // Display spinner until everything is ready to go forward.
+  if (!apiUrl) {
+    return <LoadingSpinner />;
+  }
+
+  return (
+    <UniversalProjectsRoute
+      viewUid={ORG_VIEW.uid}
+      baseUrl={`${ROOT_URL}${apiUrl}`}
+      defaultVisibleFields={HOME_DEFAULT_VISIBLE_FIELDS}
+      includeTypeFilter={false}
+      defaultOrderableFields={HOME_ORDERABLE_FIELDS}
+      defaultExcludedFields={HOME_EXCLUDED_FIELDS}
+      isExportButtonVisible={false}
+    />
+  );
+}
diff --git a/jsapp/js/projects/projectViews/constants.ts b/jsapp/js/projects/projectViews/constants.ts
index 58ee83b2c5..9c18ef300c 100644
--- a/jsapp/js/projects/projectViews/constants.ts
+++ b/jsapp/js/projects/projectViews/constants.ts
@@ -5,6 +5,11 @@ export const HOME_VIEW = {
   name: t('My Projects'),
 };
 
+export const ORG_VIEW = {
+  uid: 'kobo_my_organization_projects',
+  name: t('##organization name## Projects'),
+};
+
 export interface ProjectsFilterDefinition {
   fieldName?: ProjectFieldName;
   condition?: FilterConditionName;
diff --git a/jsapp/js/projects/projectViews/viewSwitcher.tsx b/jsapp/js/projects/projectViews/viewSwitcher.tsx
index 6f52727525..786bbfaa73 100644
--- a/jsapp/js/projects/projectViews/viewSwitcher.tsx
+++ b/jsapp/js/projects/projectViews/viewSwitcher.tsx
@@ -8,12 +8,13 @@ import cx from 'classnames';
 import Icon from 'js/components/common/icon';
 import KoboDropdown from 'js/components/common/koboDropdown';
 
-// Stores
+// Stores and hooks
 import projectViewsStore from './projectViewsStore';
+import {useOrganizationQuery} from 'js/account/stripe.api';
 
 // Constants
 import {PROJECTS_ROUTES} from 'js/router/routerConstants';
-import {HOME_VIEW} from './constants';
+import {HOME_VIEW, ORG_VIEW} from './constants';
 
 // Styles
 import styles from './viewSwitcher.module.scss';
@@ -32,11 +33,14 @@ function ViewSwitcher(props: ViewSwitcherProps) {
   // We track the menu visibility for the trigger icon.
   const [isMenuVisible, setIsMenuVisible] = useState(false);
   const [projectViews] = useState(() => projectViewsStore);
+  const orgQuery = useOrganizationQuery();
   const navigate = useNavigate();
 
   const onOptionClick = (viewUid: string) => {
     if (viewUid === HOME_VIEW.uid || viewUid === null) {
       navigate(PROJECTS_ROUTES.MY_PROJECTS);
+    } else if (viewUid === ORG_VIEW.uid) {
+      navigate(PROJECTS_ROUTES.MY_ORG_PROJECTS);
     } else {
       navigate(PROJECTS_ROUTES.CUSTOM_VIEW.replace(':viewUid', viewUid));
       // The store keeps a number of assets of each view, and that number
@@ -45,8 +49,16 @@ function ViewSwitcher(props: ViewSwitcherProps) {
     }
   };
 
+  const hasMultipleOptions = (
+    projectViews.views.length !== 0 ||
+    orgQuery.data?.is_mmo
+  );
+  const organizationName = orgQuery.data?.name || t('Organization');
+
   let triggerLabel = HOME_VIEW.name;
-  if (props.selectedViewUid !== HOME_VIEW.uid) {
+  if (props.selectedViewUid === ORG_VIEW.uid) {
+    triggerLabel = ORG_VIEW.name.replace('##organization name##', organizationName);
+  } else if (props.selectedViewUid !== HOME_VIEW.uid) {
     triggerLabel = projectViews.getView(props.selectedViewUid)?.name || '-';
   }
 
@@ -55,9 +67,9 @@ function ViewSwitcher(props: ViewSwitcherProps) {
     return null;
   }
 
-  // If there are no custom views defined, there's no point in displaying
-  // the dropdown, we will display a "simple" header.
-  if (projectViews.views.length === 0) {
+  // If there is only one option in the switcher, there is no point in making
+  // this piece of UI interactive. We display a "simple" header instead.
+  if (!hasMultipleOptions) {
     return (
       <button
         className={cx(styles.trigger, styles.triggerSimple)}
@@ -97,6 +109,18 @@ function ViewSwitcher(props: ViewSwitcherProps) {
               {HOME_VIEW.name}
             </button>
 
+            {/* This is the organization view option - depends if user is in MMO
+            organization */}
+            {orgQuery.data?.is_mmo &&
+              <button
+                key={ORG_VIEW.uid}
+                className={styles.menuOption}
+                onClick={() => onOptionClick(ORG_VIEW.uid)}
+              >
+                {ORG_VIEW.name.replace('##organization name##', organizationName)}
+              </button>
+            }
+
             {/* This is the list of all options for custom views. These are only
             being added if custom views are defined (at least one). */}
             {projectViews.views.map((view) => (
diff --git a/jsapp/js/projects/routes.tsx b/jsapp/js/projects/routes.tsx
index 2aa3222dfb..876dbc3351 100644
--- a/jsapp/js/projects/routes.tsx
+++ b/jsapp/js/projects/routes.tsx
@@ -2,10 +2,14 @@ import React from 'react';
 import {Navigate, Route} from 'react-router-dom';
 import RequireAuth from 'js/router/requireAuth';
 import {PROJECTS_ROUTES} from 'js/router/routerConstants';
+import {ValidateOrgPermissions} from 'js/router/validateOrgPermissions.component';
 
 const MyProjectsRoute = React.lazy(
   () => import(/* webpackPrefetch: true */ './myProjectsRoute')
 );
+const MyOrgProjectsRoute = React.lazy(
+  () => import(/* webpackPrefetch: true */ './myOrgProjectsRoute')
+);
 const CustomViewRoute = React.lazy(
   () => import(/* webpackPrefetch: true */ './customViewRoute')
 );
@@ -25,6 +29,19 @@ export default function routes() {
           </RequireAuth>
         }
       />
+      <Route
+        path={PROJECTS_ROUTES.MY_ORG_PROJECTS}
+        element={
+          <RequireAuth>
+            <ValidateOrgPermissions
+              mmoOnly
+              redirectRoute={PROJECTS_ROUTES.MY_PROJECTS}
+            >
+              <MyOrgProjectsRoute />
+            </ValidateOrgPermissions>
+          </RequireAuth>
+        }
+      />
       <Route
         path={PROJECTS_ROUTES.CUSTOM_VIEW}
         element={
diff --git a/jsapp/js/router/router.tsx b/jsapp/js/router/router.tsx
index ef5b719f20..70012e873f 100644
--- a/jsapp/js/router/router.tsx
+++ b/jsapp/js/router/router.tsx
@@ -52,7 +52,7 @@ export const router = createHashRouter(
         element={<Navigate to={ROUTES.FORMS} replace />}
       />
       <Route path={ROUTES.ACCOUNT_ROOT}>{accountRoutes()}</Route>
-      <Route path={ROUTES.PROJECTS_ROOT}>{projectsRoutes()}</Route>
+      {projectsRoutes()}
       <Route path={ROUTES.LIBRARY}>
         <Route path='' element={<Navigate to={ROUTES.MY_LIBRARY} replace />} />
         <Route
diff --git a/jsapp/js/router/routerConstants.ts b/jsapp/js/router/routerConstants.ts
index 18de7470e4..584021e8e4 100644
--- a/jsapp/js/router/routerConstants.ts
+++ b/jsapp/js/router/routerConstants.ts
@@ -49,6 +49,11 @@ export const ROUTES = Object.freeze({
 
 export const PROJECTS_ROUTES: {readonly [key: string]: string} = {
   MY_PROJECTS: ROUTES.PROJECTS_ROOT + '/home',
+  /**
+   * We break from the default way to set routes here, as we want to be
+   * consistent with other organization related routes.
+   */
+  MY_ORG_PROJECTS: '/organization/projects',
   CUSTOM_VIEW: ROUTES.PROJECTS_ROOT + '/:viewUid',
 };
 

From 878f80f155da20b4d08051e59ce9ae655d72ab7a Mon Sep 17 00:00:00 2001
From: Guillermo <lgar89@gmail.com>
Date: Thu, 14 Nov 2024 13:44:53 -0600
Subject: [PATCH 8/8] feat(projectHistoryLogs): remove audit logs according to
 constance configuration TASK-972 (#5225)

This PR adds the automatic expiration mechanism for project history
logs. It is similar to the access log mechanism. The expiration time
span is configured through constance.
---
 jsapp/js/envStore.ts                    |  1 +
 kobo/apps/audit_log/tasks.py            | 25 ++++---
 kobo/apps/audit_log/tests/test_tasks.py | 71 +++++++++++++-----
 kobo/settings/base.py                   | 24 +++---
 kpi/tests/api/test_api_environment.py   |  7 +-
 kpi/views/environment.py                | 97 ++++++++++++++-----------
 6 files changed, 142 insertions(+), 83 deletions(-)

diff --git a/jsapp/js/envStore.ts b/jsapp/js/envStore.ts
index 6e74ab6a46..23621c92a2 100644
--- a/jsapp/js/envStore.ts
+++ b/jsapp/js/envStore.ts
@@ -44,6 +44,7 @@ export interface EnvironmentResponse {
    */
   terms_of_service__sitewidemessage__exists: boolean;
   open_rosa_server: string;
+  project_history_log_lifespan: number;
 }
 
 /*
diff --git a/kobo/apps/audit_log/tasks.py b/kobo/apps/audit_log/tasks.py
index b7aae9f272..e3f86fefe8 100644
--- a/kobo/apps/audit_log/tasks.py
+++ b/kobo/apps/audit_log/tasks.py
@@ -8,6 +8,7 @@
 from kobo.apps.audit_log.models import (
     AccessLog,
     AuditLog,
+    ProjectHistoryLog,
 )
 from kobo.celery import celery_app
 from kpi.utils.log import logging
@@ -20,26 +21,32 @@ def batch_delete_audit_logs_by_id(ids):
     logging.info(f'Deleted {count} audit logs from database')
 
 
-@celery_app.task()
-def spawn_access_log_cleaning_tasks():
-    """
-    Enqueue tasks to delete access logs older than ACCESS_LOG_LIFESPAN days old.
+def enqueue_logs_for_deletion(LogModel: AuditLog, log_lifespan: int):
+    """Delete the logs for an audit log proxy model considering a lifespan
+    given in number of days.
 
-    ACCESS_LOG_LIFESPAN is configured via constance.
     Ids are batched into multiple tasks.
     """
-
     expiration_date = timezone.now() - timedelta(
-        days=config.ACCESS_LOG_LIFESPAN
+        days=log_lifespan
     )
 
     expired_logs = (
-        AccessLog.objects.filter(date_created__lt=expiration_date)
+        LogModel.objects.filter(date_created__lt=expiration_date)
         .values_list('id', flat=True)
         .iterator()
     )
     for id_batch in chunked(
-        expired_logs, settings.ACCESS_LOG_DELETION_BATCH_SIZE
+        expired_logs, settings.LOG_DELETION_BATCH_SIZE
     ):
         # queue up a new task for each batch of expired ids
         batch_delete_audit_logs_by_id.delay(ids=id_batch)
+
+
+@celery_app.task()
+def spawn_logs_cleaning_tasks():
+    """
+    Enqueue tasks to delete logs older than the configured lifespan
+    """
+    enqueue_logs_for_deletion(AccessLog, config.ACCESS_LOG_LIFESPAN)
+    enqueue_logs_for_deletion(ProjectHistoryLog, config.PROJECT_HISTORY_LOG_LIFESPAN)
diff --git a/kobo/apps/audit_log/tests/test_tasks.py b/kobo/apps/audit_log/tests/test_tasks.py
index b2042f55f6..b593dc004d 100644
--- a/kobo/apps/audit_log/tests/test_tasks.py
+++ b/kobo/apps/audit_log/tests/test_tasks.py
@@ -5,12 +5,18 @@
 from django.test import override_settings
 from django.utils import timezone
 
-from kobo.apps.audit_log.models import AccessLog
+from kobo.apps.audit_log.models import (
+    AccessLog,
+    ProjectHistoryLog,
+)
 from kobo.apps.audit_log.tasks import (
     batch_delete_audit_logs_by_id,
-    spawn_access_log_cleaning_tasks,
+    enqueue_logs_for_deletion,
+    spawn_logs_cleaning_tasks,
 )
 from kobo.apps.kobo_auth.shortcuts import User
+from kpi.constants import PROJECT_HISTORY_LOG_PROJECT_SUBTYPE
+from kpi.models import Asset
 from kpi.tests.base_test_case import BaseTestCase
 
 
@@ -19,27 +25,57 @@ class AuditLogTasksTestCase(BaseTestCase):
 
     fixtures = ['test_data']
 
+    def setUp(self):
+        self.user = User.objects.get(username='someuser')
+        self.three_days_ago = timezone.now() - timedelta(days=3)
+        self.asset = Asset.objects.get(pk=1)
+
+    def test_delete_logs(self):
+        AccessLog.objects.create(
+            user=self.user, date_created=self.three_days_ago
+        )
+        ProjectHistoryLog.objects.create(
+            user=self.user,
+            date_created=self.three_days_ago,
+            metadata={
+                'asset_uid': self.asset.uid,
+                'ip_address': '0.0.0.0',
+                'source': 'source',
+                'log_subtype': PROJECT_HISTORY_LOG_PROJECT_SUBTYPE,
+                'latest_version_uid': '0',
+            },
+            object_id=self.asset.id,
+        )
+
+        self.assertEqual(AccessLog.objects.count(), 1)
+        enqueue_logs_for_deletion(AccessLog, 1)
+        self.assertEqual(AccessLog.objects.count(), 0)
+        # Ensure that the delete_logs function only deletes the objects for the given
+        # log class
+        self.assertEqual(ProjectHistoryLog.objects.count(), 1)
+        enqueue_logs_for_deletion(ProjectHistoryLog, 1)
+        self.assertEqual(ProjectHistoryLog.objects.count(), 0)
+
     def test_spawn_deletion_task_identifies_expired_logs(self):
         """
         Test the spawning task correctly identifies which logs to delete.
 
         Separated for easier debugging of the spawning vs deleting steps
         """
-        user = User.objects.get(username='someuser')
         old_log = AccessLog.objects.create(
-            user=user,
+            user=self.user,
             date_created=timezone.now() - timedelta(days=1, hours=1),
         )
         older_log = AccessLog.objects.create(
-            user=user,
+            user=self.user,
             date_created=timezone.now() - timedelta(days=2)
         )
-        new_log = AccessLog.objects.create(user=user)
+        new_log = AccessLog.objects.create(user=self.user)
 
         with patch(
             'kobo.apps.audit_log.tasks.batch_delete_audit_logs_by_id.delay'
         ) as patched_spawned_task:
-            spawn_access_log_cleaning_tasks()
+            spawn_logs_cleaning_tasks()
 
         # get the list of ids passed for any call to the actual deletion task
         id_lists = [kwargs['ids'] for _, _, kwargs in patched_spawned_task.mock_calls]
@@ -49,28 +85,26 @@ def test_spawn_deletion_task_identifies_expired_logs(self):
         self.assertIn(older_log.id, all_deleted_ids)
         self.assertNotIn(new_log.id, all_deleted_ids)
 
-    @override_settings(ACCESS_LOG_DELETION_BATCH_SIZE=2)
+    @override_settings(LOG_DELETION_BATCH_SIZE=2)
     def test_spawn_task_batches_ids(self):
-        three_days_ago = timezone.now() - timedelta(days=3)
-        user = User.objects.get(username='someuser')
         old_log_1 = AccessLog.objects.create(
-            user=user, date_created=three_days_ago
+            user=self.user, date_created=self.three_days_ago
         )
         old_log_2 = AccessLog.objects.create(
-            user=user, date_created=three_days_ago
+            user=self.user, date_created=self.three_days_ago
         )
         old_log_3 = AccessLog.objects.create(
-            user=user, date_created=three_days_ago
+            user=self.user, date_created=self.three_days_ago
         )
 
         with patch(
             'kobo.apps.audit_log.tasks.batch_delete_audit_logs_by_id.delay'
         ) as patched_spawned_task:
-            spawn_access_log_cleaning_tasks()
+            spawn_logs_cleaning_tasks()
 
         # Should be 2 batches
         self.assertEqual(patched_spawned_task.call_count, 2)
-        # make sure all batches were <= ACCESS_LOG_DELETION_BATCH_SIZE
+        # make sure all batches were <= LOG_DELETION_BATCH_SIZE
         all_deleted_ids = []
         for task_call in patched_spawned_task.mock_calls:
             _, _, kwargs = task_call
@@ -84,10 +118,9 @@ def test_spawn_task_batches_ids(self):
         self.assertIn(old_log_3.id, all_deleted_ids)
 
     def test_batch_delete_audit_logs_by_id(self):
-        user = User.objects.get(username='someuser')
-        log_1 = AccessLog.objects.create(user=user)
-        log_2 = AccessLog.objects.create(user=user)
-        log_3 = AccessLog.objects.create(user=user)
+        log_1 = AccessLog.objects.create(user=self.user)
+        log_2 = AccessLog.objects.create(user=self.user)
+        log_3 = AccessLog.objects.create(user=self.user)
         self.assertEqual(AccessLog.objects.count(), 3)
 
         batch_delete_audit_logs_by_id(ids=[log_1.id, log_2.id])
diff --git a/kobo/settings/base.py b/kobo/settings/base.py
index aab4661472..5d03a5b027 100644
--- a/kobo/settings/base.py
+++ b/kobo/settings/base.py
@@ -589,15 +589,20 @@
         ),
         'Email message to sent to admins on failure.',
     ),
-    'USE_TEAM_LABEL': (
-        True,
-        'Use the term "Team" instead of "Organization" when Stripe is not enabled',
+    'PROJECT_HISTORY_LOG_LIFESPAN': (
+        60,
+        'Length of time days to keep project history logs.',
+        'positive_int',
     ),
     'ACCESS_LOG_LIFESPAN': (
         60,
         'Length of time in days to keep access logs.',
-        'positive_int'
-    )
+        'positive_int',
+    ),
+    'USE_TEAM_LABEL': (
+        True,
+        'Use the term "Team" instead of "Organization" when Stripe is not enabled',
+    ),
 }
 
 CONSTANCE_ADDITIONAL_FIELDS = {
@@ -663,6 +668,7 @@
         'FRONTEND_MAX_RETRY_TIME',
         'USE_TEAM_LABEL',
         'ACCESS_LOG_LIFESPAN',
+        'PROJECT_HISTORY_LOG_LIFESPAN'
     ),
     'Rest Services': (
         'ALLOW_UNSECURED_HOOK_ENDPOINTS',
@@ -1233,11 +1239,11 @@ def dj_stripe_request_callback_method():
         'schedule': crontab(minute=0, hour=0),
         'options': {'queue': 'kpi_low_priority_queue'}
     },
-    'delete-expired-access-logs': {
-        'task': 'kobo.apps.audit_log.tasks.spawn_access_log_cleaning_tasks',
+    'delete-expired-logs': {
+        'task': 'kobo.apps.audit_log.tasks.spawn_logs_cleaning_tasks',
         'schedule': crontab(minute=0, hour=0),
         'options': {'queue': 'kpi_low_priority_queue'}
-    }
+    },
 }
 
 
@@ -1789,7 +1795,7 @@ def dj_stripe_request_callback_method():
     'application/x-zip-compressed'
 ]
 
-ACCESS_LOG_DELETION_BATCH_SIZE = 1000
+LOG_DELETION_BATCH_SIZE = 1000
 
 # Silence Django Guardian warning. Authentication backend is hooked, but
 # Django Guardian does not recognize it because it is extended
diff --git a/kpi/tests/api/test_api_environment.py b/kpi/tests/api/test_api_environment.py
index e1d2dfaf6a..e37ac9d291 100644
--- a/kpi/tests/api/test_api_environment.py
+++ b/kpi/tests/api/test_api_environment.py
@@ -126,6 +126,9 @@ def setUp(self):
             ),
             'open_rosa_server': settings.KOBOCAT_URL,
             'terms_of_service__sitewidemessage__exists': False,
+            'project_history_log_lifespan': (
+                constance.config.PROJECT_HISTORY_LOG_LIFESPAN
+            ),
             'use_team_label': constance.config.USE_TEAM_LABEL,
         }
 
@@ -313,7 +316,7 @@ def test_free_tier_override_uses_organization_owner_join_date(
     def test_social_apps(self):
         # GET mutates state, call it first to test num queries later
         self.client.get(self.url, format='json')
-        queries = FuzzyInt(18, 26)
+        queries = FuzzyInt(18, 27)
         with self.assertNumQueries(queries):
             response = self.client.get(self.url, format='json')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
@@ -332,7 +335,7 @@ def test_social_apps(self):
     def test_social_apps_no_custom_data(self):
         SocialAppCustomData.objects.all().delete()
         self.client.get(self.url, format='json')
-        queries = FuzzyInt(18, 26)
+        queries = FuzzyInt(18, 27)
         with self.assertNumQueries(queries):
             response = self.client.get(self.url, format='json')
 
diff --git a/kpi/views/environment.py b/kpi/views/environment.py
index 1f590da181..747382f7b6 100644
--- a/kpi/views/environment.py
+++ b/kpi/views/environment.py
@@ -52,6 +52,10 @@ class EnvironmentView(APIView):
         'USE_TEAM_LABEL',
     ]
 
+    OTHER_CONFIGS = [
+        'PROJECT_HISTORY_LOG_LIFESPAN',
+    ]
+
     @classmethod
     def process_simple_configs(cls):
         return {
@@ -64,30 +68,18 @@ def process_simple_configs(cls):
         'FREE_TIER_THRESHOLDS',
     ]
 
-    @classmethod
-    def process_json_configs(cls):
+    def get(self, request, *args, **kwargs):
         data = {}
-        for key in cls.JSON_CONFIGS:
-            value = getattr(constance.config, key)
-            try:
-                value = to_python_object(value)
-            except json.JSONDecodeError:
-                logging.error(
-                    f'Configuration value for `{key}` has invalid JSON'
-                )
-                continue
-            data[key.lower()] = value
-        return data
-
-    @staticmethod
-    def split_with_newline_kludge(value):
-        """
-        django-constance formerly (before 2.7) used `\r\n` for newlines but
-        later changed that to `\n` alone. See #3825, #3831. This fix-up process
-        is *only* needed for settings that existed prior to this change; do not
-        use it when adding new settings.
-        """
-        return (line.strip('\r') for line in value.split('\n'))
+        data.update(self.process_simple_configs())
+        data.update(self.process_json_configs())
+        data.update(self.process_choice_configs())
+        data.update(self.process_mfa_configs(request))
+        data.update(self.process_password_configs(request))
+        data.update(self.process_project_metadata_configs(request))
+        data.update(self.process_user_metadata_configs(request))
+        data.update(self.process_other_configs(request))
+        data.update(self.static_configs(request))
+        return Response(data)
 
     @classmethod
     def process_choice_configs(cls):
@@ -114,6 +106,21 @@ def process_choice_configs(cls):
         data['interface_languages'] = settings.LANGUAGES
         return data
 
+    @classmethod
+    def process_json_configs(cls):
+        data = {}
+        for key in cls.JSON_CONFIGS:
+            value = getattr(constance.config, key)
+            try:
+                value = to_python_object(value)
+            except json.JSONDecodeError:
+                logging.error(
+                    f'Configuration value for `{key}` has invalid JSON'
+                )
+                continue
+            data[key.lower()] = value
+        return data
+
     @staticmethod
     def process_mfa_configs(request):
         data = {}
@@ -149,13 +156,6 @@ def process_project_metadata_configs(request):
         }
         return data
 
-    @staticmethod
-    def process_user_metadata_configs(request):
-        data = {
-            'user_metadata_fields': I18nUtils.get_metadata_fields('user')
-        }
-        return data
-
     @staticmethod
     def process_other_configs(request):
         data = {}
@@ -169,12 +169,17 @@ def process_other_configs(request):
         data['asr_mt_features_enabled'] = check_asr_mt_access_for_user(request.user)
         data['submission_placeholder'] = SUBMISSION_PLACEHOLDER
 
+        for key in EnvironmentView.OTHER_CONFIGS:
+            data[key.lower()] = getattr(constance.config, key)
+
         if settings.STRIPE_ENABLED:
             from djstripe.models import APIKey
 
             try:
                 data['stripe_public_key'] = str(
-                    APIKey.objects.get(type='publishable', livemode=settings.STRIPE_LIVE_MODE).secret
+                    APIKey.objects.get(
+                        type='publishable', livemode=settings.STRIPE_LIVE_MODE
+                    ).secret
                 )
             except MultipleObjectsReturned as e:
                 raise MultipleObjectsReturned(
@@ -209,18 +214,22 @@ def process_other_configs(request):
 
         return data
 
+    @staticmethod
+    def process_user_metadata_configs(request):
+        data = {
+            'user_metadata_fields': I18nUtils.get_metadata_fields('user')
+        }
+        return data
+
+    @staticmethod
+    def split_with_newline_kludge(value):
+        """
+        django-constance formerly (before 2.7) used `\r\n` for newlines but
+        later changed that to `\n` alone. See #3825, #3831. This fix-up process
+        is *only* needed for settings that existed prior to this change; do not
+        use it when adding new settings.
+        """
+        return (line.strip('\r') for line in value.split('\n'))
+
     def static_configs(self, request):
         return {'open_rosa_server': settings.KOBOCAT_URL}
-
-    def get(self, request, *args, **kwargs):
-        data = {}
-        data.update(self.process_simple_configs())
-        data.update(self.process_json_configs())
-        data.update(self.process_choice_configs())
-        data.update(self.process_mfa_configs(request))
-        data.update(self.process_password_configs(request))
-        data.update(self.process_project_metadata_configs(request))
-        data.update(self.process_user_metadata_configs(request))
-        data.update(self.process_other_configs(request))
-        data.update(self.static_configs(request))
-        return Response(data)