Compliance troubleshooting

Cannot export evidence or audit package

Evidence and audit package exports require specific permissions and session conditions:

• Missing permission. Only Client Owners and Client Security Admins can export audit packages. Client Compliance Auditors can view but not export. Request the required role from your Client Owner if you need export access.
• MFA required. Log out and log back in completing MFA to establish a verified session. Audit package export requires an active MFA session.
• PIM required. If your Client Owner or Client Security Admin role is configured as PIM-eligible, activate it in Administration > PIM before attempting the export.

Control is stuck in blocked status

Open the control and review its blocker list. Common causes and resolutions:

• No owner assigned. Go to the control detail and assign a responsible owner.
• Policy not approved. Go to Compliance > Policies and approve the required policy. Remember — the policy owner cannot approve their own policy.
• Evidence missing. Go to Compliance > Evidence and add the missing evidence type for this control. Submit it for review and acceptance.
• Evidence expired. Re-collect and re-submit the expired evidence. Evidence with a past expiration date does not count toward control readiness.
• High risk unresolved. Go to Compliance > Risks and treat the linked risk — mitigate, accept (Client Owner required), transfer, or avoid.
• Access review overdue. Complete the overdue access review campaign. See the access reviews troubleshooting below.
• Vendor review overdue. Update the vendor's review status in Compliance > Vendors. See the vendor review troubleshooting below.

Policy won't approve

• Self-approval blocked. The policy owner cannot approve their own policy. Assign a different Client Owner or Client Security Admin as the approver.
• Need a different approver. Policy approval requires a Client Owner or Client Security Admin. Contact one of these roles to review and approve the policy.

Risk acceptance blocked

• Only Client Owners can formally accept risks. If you see a permission error, contact your Client Owner and provide the risk ID and justification for acceptance.
• If accepting the risk requires PIM activation, go to Administration > PIM, activate your Client Owner role, and then return to the risk register to accept.

Overdue access review blocking readiness

• Go to Compliance > Access Reviews. Find any overdue campaigns (shown in red or with an overdue badge).
• Open the campaign, review each access item, and mark the campaign as complete with documented decisions.
• Completion generates accepted evidence for the linked control, which should unblock it.

Overdue vendor review blocking readiness

• Go to Compliance > Vendors. Review vendors with overdue review dates.
• Complete the vendor security review: update risk rating, confirm or update DPA status, request and upload any new vendor security reports.
• Set the next review date and save. The vendor management control should unblock once all overdue reviews are updated.

Why Nuxari says "readiness" not "certified"

Nuxari uses the term "compliance readiness" because the platform helps you organize and operate the work required for compliance programs. Formal SOC 2 and ISO 27001 certification requires an external audit by an independent, accredited third party — a CPA firm for SOC 2, an accredited certification body for ISO 27001. Nuxari cannot issue these certifications and makes no guarantee of audit outcomes. Nuxari is building its own compliance program and will share its own certification reports when external audits are completed.