diff --git a/.env.s3.template b/.env.s3.template
index 3e2c1e8a..6b724eb5 100644
--- a/.env.s3.template
+++ b/.env.s3.template
@@ -128,6 +128,40 @@ PRESIGNED_URLS_EXPIRE_MINUTES=240
 # Default: INFO
 # AWS_SDK_LOG_LEVEL=INFO
 
+# =============================================================================
+# CLOUDFRONT SIGNED URLs (SECURED STORAGE)
+# =============================================================================
+# Optional: CloudFront distribution URL for secure document access
+# Required for secured storage with signed URLs (production deployments)
+# Format: https://your-cloudfront-domain.cloudfront.net
+# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
+# CF_URL=https://example.cloudfront.net
+
+# Optional: CloudFront key pair ID for signing URLs
+# Required when using CloudFront signed URLs for document access
+# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
+# CF_KEY_PAIR_ID=K1234567890ABC
+
+# Optional: CloudFront private key secret path in AWS Secrets Manager
+# The initializer will load the private key from this secret location
+# Format: environment/cloudfront/private_key
+# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
+# CF_KEY_SECRET=production/cloudfront/private_key
+
+# Optional: Secured storage bucket name (shared with ATS for compliance)
+# Required when using secured CloudFront storage
+# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
+# SECURED_STORAGE_BUCKET=your-company-compliance-documents
+
+# Optional: Secured storage region
+# Default: us-east-1
+# SECURED_STORAGE_REGION=us-east-1
+
+# Optional: Disable secured storage in development
+# Set to 'true' to use local disk storage instead of secured S3/CloudFront
+# Only applies in development environment
+# DOCUSEAL_DISABLE_SECURED_STORAGE=true
+
 # =============================================================================
 # EXAMPLE CONFIGURATIONS
 # =============================================================================
diff --git a/app/models/account_group.rb b/app/models/account_group.rb
index e2bde3f0..02aa57ba 100644
--- a/app/models/account_group.rb
+++ b/app/models/account_group.rb
@@ -8,7 +8,7 @@
 #  name                      :string           not null
 #  created_at                :datetime         not null
 #  updated_at                :datetime         not null
-#  external_account_group_id :integer          not null
+#  external_account_group_id :string           not null
 #
 # Indexes
 #
diff --git a/app/models/document_generation_event.rb b/app/models/document_generation_event.rb
index f4e0a701..24d71ba3 100644
--- a/app/models/document_generation_event.rb
+++ b/app/models/document_generation_event.rb
@@ -13,7 +13,7 @@
 # Indexes
 #
 #  index_document_generation_events_on_submitter_id                 (submitter_id)
-#  index_document_generation_events_on_submitter_id_and_event_name  (submitter_id,event_name) UNIQUE WHERE ((event_name)::text = ANY ((ARRAY['start'::character varying, 'complete'::character varying])::text[]))
+#  index_document_generation_events_on_submitter_id_and_event_name  (submitter_id,event_name) UNIQUE WHERE ((event_name)::text = ANY (ARRAY[('start'::character varying)::text, ('complete'::character varying)::text]))
 #
 # Foreign Keys
 #
diff --git a/app/models/email_event.rb b/app/models/email_event.rb
index 3c6aac61..3aaa5db9 100644
--- a/app/models/email_event.rb
+++ b/app/models/email_event.rb
@@ -20,7 +20,7 @@
 #
 #  index_email_events_on_account_id_and_event_datetime  (account_id,event_datetime)
 #  index_email_events_on_email                          (email)
-#  index_email_events_on_email_event_types              (email) WHERE ((event_type)::text = ANY ((ARRAY['bounce'::character varying, 'soft_bounce'::character varying, 'complaint'::character varying, 'soft_complaint'::character varying])::text[]))
+#  index_email_events_on_email_event_types              (email) WHERE ((event_type)::text = ANY (ARRAY[('bounce'::character varying)::text, ('soft_bounce'::character varying)::text, ('complaint'::character varying)::text, ('soft_complaint'::character varying)::text]))
 #  index_email_events_on_emailable                      (emailable_type,emailable_id)
 #  index_email_events_on_message_id                     (message_id)
 #
diff --git a/app/services/document_security_service.rb b/app/services/document_security_service.rb
index c6406d17..c48efb10 100644
--- a/app/services/document_security_service.rb
+++ b/app/services/document_security_service.rb
@@ -47,15 +47,15 @@ class DocumentSecurityService
     end
 
     def cloudfront_base_url
-      @cloudfront_base_url ||= Rails.configuration.x.compliance_storage&.dig(:cf_url)
+      @cloudfront_base_url ||= ENV['CF_URL']
     end
 
     def cloudfront_key_pair_id
-      @cloudfront_key_pair_id ||= Rails.configuration.x.compliance_storage&.dig(:cf_key_pair)
+      @cloudfront_key_pair_id ||= ENV['CF_KEY_PAIR_ID']
     end
 
     def cloudfront_private_key
-      @cloudfront_private_key ||= ENV.fetch('SECURE_ATTACHMENT_PRIVATE_KEY', nil)
+      @cloudfront_private_key ||= ENV['SECURE_ATTACHMENT_PRIVATE_KEY']
     end
   end
 end
diff --git a/config/application.rb b/config/application.rb
index d045d892..dcfa1bfa 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -44,9 +44,6 @@ module DocuSeal
 
     autoloaders.once.do_not_eager_load("#{Turbo::Engine.root}/app/channels") # https://github.com/hotwired/turbo-rails/issues/512
 
-    # DocuSeal compliance storage configuration (reuses ATS infrastructure)
-    config.x.compliance_storage = config_for(:compliance_storage)
-
     ActiveSupport.run_load_hooks(:application_config, self)
   end
 end
diff --git a/config/initializers/secure_attachment.rb b/config/initializers/secure_attachment.rb
index 15793bbc..4db1bb5e 100644
--- a/config/initializers/secure_attachment.rb
+++ b/config/initializers/secure_attachment.rb
@@ -3,7 +3,8 @@
 require 'aws-sdk-secretsmanager'
 
 # Load CloudFront private key from AWS Secrets Manager (same as ATS)
-key_secret = Rails.configuration.x.compliance_storage&.dig(:cf_key_secret)
+# Configuration loaded from environment variables (set in cpdocuseal deployment)
+key_secret = ENV['CF_KEY_SECRET']
 
 if key_secret.present?
   begin
diff --git a/lib/submissions/generate_result_attachments.rb b/lib/submissions/generate_result_attachments.rb
index b817ca03..5a60c69d 100644
--- a/lib/submissions/generate_result_attachments.rb
+++ b/lib/submissions/generate_result_attachments.rb
@@ -851,8 +851,8 @@ module Submissions
         return Rails.application.config.active_storage.service
       end
 
-      # Use secured storage if compliance configuration is present
-      if Rails.configuration.x.compliance_storage.present?
+      # Use secured storage if CloudFront configuration is present (loaded from ENV)
+      if ENV['CF_URL'].present? && ENV['CF_KEY_PAIR_ID'].present?
         'aws_s3_secured'
       else
         Rails.application.config.active_storage.service
diff --git a/spec/models/account_group_spec.rb b/spec/models/account_group_spec.rb
index bc291c26..d2c02f8e 100644
--- a/spec/models/account_group_spec.rb
+++ b/spec/models/account_group_spec.rb
@@ -8,7 +8,7 @@
 #  name                      :string           not null
 #  created_at                :datetime         not null
 #  updated_at                :datetime         not null
-#  external_account_group_id :integer          not null
+#  external_account_group_id :string           not null
 #
 # Indexes
 #