diff --git a/backend/server.js b/backend/server.js
index 65e03ff..b460cfa 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -196,6 +196,13 @@ const upload = multer({
     limits: { fileSize: 10 * 1024 * 1024 } // 10MB limit
 });
 
+// Separate multer instance for compliance xlsx uploads — these can be 30MB+ for large verticals
+const complianceUpload = multer({
+    storage: storage,
+    fileFilter: fileFilter,
+    limits: { fileSize: 50 * 1024 * 1024 } // 50MB limit for compliance spreadsheets
+});
+
 // Knowledge base routes (editor/admin for upload/delete, all authenticated for view)
 app.use('/api/knowledge-base', createKnowledgeBaseRouter(upload));
 
@@ -223,10 +230,10 @@ app.use('/api/ivanti/fp-workflow', createIvantiFpWorkflowRouter());
 
 // VCL multi-vertical routes — cross-organizational compliance reporting
 // Must be mounted BEFORE the general compliance router since both share the /api/compliance prefix
-app.use('/api/compliance/vcl-multi', createVCLMultiVerticalRouter(upload));
+app.use('/api/compliance/vcl-multi', createVCLMultiVerticalRouter(complianceUpload));
 
 // AEO compliance routes — xlsx upload, non-compliant item tracking, notes
-app.use('/api/compliance', createComplianceRouter(upload));
+app.use('/api/compliance', createComplianceRouter(complianceUpload));
 
 // Atlas InfoSec action plan routes — proxy CRUD to Atlas API, local cache for badges
 app.use('/api/atlas', createAtlasRouter());