Common Issues

Can't sign in — "Invalid credentials"

Supabase Auth rejects the password. Options in order:

• Reset password via /auth/login → Forgot password. Email delivery can take 2-3 minutes.
• If no password reset email arrives after 5 minutes, check your email's spam folder, then check that the email you used exists in Supabase Auth (the admin can verify).
• If you signed up via an invite, your account is tied to the exact email the invite was sent to. A different email case or domain will fail.

Signed in, but every page redirects to login

Session cookie expired or session-timeout fired. Causes:

• 8 hours of inactivity — the session-timeout middleware signs you out automatically for security. Just sign in again.
• Supabase project region change — rare, but clearing cookies and signing in fresh resolves it.
• Browser blocking third-party cookies — OneComply uses first-party cookies only, but if you're on a very strict privacy extension, whitelist the domain.

"Accept terms" modal appears on every login

A legal document was updated and the version changed. Accept once — the modal goes away. If the modal keeps re-appearing on the same user after accepting, it's a bug — open a ticket with your org ID. See Legal Acceptance for the mechanism.

My trial says "expired" but I should still have days left

The trial-expiry cron runs daily at midnight UTC. If your trial says expired within 24 hours of the trialEndsAt date, the cron ran before the UI updated. Refresh the page. If it persists beyond 24 hours, open a ticket with your org ID — an admin can extend your trial manually.

Got the "trial expiring in 3 days" email but I already upgraded

Stripe webhook delivery lag. The upgrade is live but the subscription-status row hadn't propagated before the cron scanned. Check /dashboard/billing— if your plan shows as Professional/Enterprise, you're fine; the email was a race condition. If billing still shows Starter after 10 minutes, open a ticket with your Stripe Checkout receipt number.

"Past due" on an account that paid successfully

Stripe invoice delivery or webhook dropped. Check the Stripe dashboard directly — if the invoice shows paid there, wait 15 minutes for webhook retry. Otherwise open a ticket.

Auditor says "Invalid or expired link"

The most common cause is clicking an old email after a fresh invite was issued — every resend rotates the token. Ask them to use the most recent email. If it's genuinely the latest link, the access may have been revoked or expired. Check /dashboard/auditors — the row shows current lifecycle state.

Auditor stuck on Terms of Engagement page

Expected behaviour on first-ever portal visit. They tick the checkbox and click Accept. If they report being looped back to the TOE after accepting, their cookie isn't persisting — usually a strict third-party cookie policy. They should try a different browser or whitelist our domain.

Download button says "No evidence attached" but the row has a filename

Expected. fileName is metadata — the row can carry a filename without having an actual uploaded file. The server checks fileUrl before rendering a download button. Upload the file from the evidence detail dialog to enable downloads.

Upload fails with "file too large"

Per-file cap is 50 MB at the upload endpoint. Bucket-level quotas are enforced separately by plan. If you hit the per-file cap, split large ZIPs or compress further before uploading.

Uploaded evidence doesn't show in the register

Refresh. Evidence lists are cached at the component level for 60 seconds. If it still doesn't appear, check the vendor filter on the list page — if set to a specific vendor, evidence without a vendorIdwon't show.

Evidence expired unexpectedly

The expiry cron runs daily and marks isValid = false when expiresAt passes. Editing expiresAt forward doesn't re-validate automatically — you need to re-upload or mark valid via the review endpoint.

Not receiving auditor-comment notifications

Only OWNER, ADMIN, and COMPLIANCE_OFFICER roles receive auditor notifications by default. Check /dashboard/settings/members for your role. Bell polling is every 15 seconds with instant refetch on tab focus, so if the bell icon shows nothing after an auditor comments, refresh — if still empty, the notify dispatch failed; check the audit log for COMMENT entries with source="auditor".

Emails not arriving

OneComply uses Resend for transactional email. If an expected email doesn't arrive:

• Check spam — first emails from @onecomply.eu sometimes land there until you whitelist.
• If you're on a custom mail gateway, ask your IT to allow resend.com and our sender domain.
• If multiple users on the same org report missing emails, theRESEND_API_KEY env var may be missing or quota exhausted. Open a ticket.

CSV export missing rows

Exports respect the current filter on the register page. If you filtered to a specific vendor, framework, or status, the export reflects that. Clear filters and re-export to get everything.

Deleted something by accident

All top-level entities (evidence, vendors, controls, incidents, policies, risks) are soft-deleted — the row is marked deletedAt but preserved in the DB. Contact support within 30 days with the entity name and we can restore it. After 30 days we hard-delete per DORA retention policies (7-year retention on compliance records requires separate export before deletion; we can help you plan this).