diff --git a/Dockerfile b/Dockerfile
index 8d1f58c5..85a7fe10 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -53,6 +53,8 @@ WORKDIR /app
 
 RUN apk add --no-cache sqlite-dev libpq-dev mariadb-dev vips-dev yaml-dev redis libheif vips-heif gcompat ttf-freefont && mkdir /fonts && rm /usr/share/fonts/freefont/FreeSans.otf
 
+RUN addgroup -g 2000 docuseal && adduser -u 2000 -G docuseal -s /bin/sh -D -h /home/docuseal docuseal
+
 RUN echo $'.include = /etc/ssl/openssl.cnf\n\
 \n\
 [provider_sect]\n\
@@ -92,7 +94,10 @@ COPY --from=webpack /app/public/packs ./public/packs
 RUN ln -s /fonts /app/public/fonts
 RUN bundle exec bootsnap precompile -j 1 --gemfile app/ lib/
 
+RUN chown -R docuseal:docuseal /app
+
 WORKDIR /data/docuseal
+ENV HOME=/home/docuseal
 ENV WORKDIR=/data/docuseal
 
 EXPOSE 3000
diff --git a/config/dotenv.rb b/config/dotenv.rb
index 319785e7..c12e6b2c 100644
--- a/config/dotenv.rb
+++ b/config/dotenv.rb
@@ -1,6 +1,20 @@
 # frozen_string_literal: true
 
 if ENV['RAILS_ENV'] == 'production'
+  if Process.uid.zero?
+    begin
+      workdir = ENV.fetch('WORKDIR', '.')
+
+      if File.exist?(workdir) && File.stat(workdir).uid != 2000
+        puts 'Changing the owner of the docuseal directory...' unless Dir.empty?(workdir)
+
+        FileUtils.chown_R(2000, 2000, workdir)
+      end
+    rescue StandardError
+      puts 'Unable to change docuseal directory owner'
+    end
+  end
+
   if !ENV['AWS_SECRET_MANAGER_ID'].to_s.empty?
     require 'aws-sdk-secretsmanager'
 
@@ -30,12 +44,30 @@ if ENV['RAILS_ENV'] == 'production'
       File.write(dotenv_path, default_env)
     end
 
+    if Process.uid.zero?
+      begin
+        File.chown(0, 0, dotenv_path)
+        File.chmod(0o600, dotenv_path)
+      rescue StandardError
+        puts 'Unable to set dotenv mod'
+      end
+    end
+
     database_url = ENV.fetch('DATABASE_URL', nil)
 
     Dotenv.load(dotenv_path)
 
     ENV['DATABASE_URL'] = ENV['DATABASE_URL'].to_s.empty? ? database_url : ENV.fetch('DATABASE_URL', nil)
   end
+
+  unless Process.uid == 2000
+    begin
+      Process::Sys.setgid(2000)
+      Process::Sys.setuid(2000)
+    rescue StandardError
+      puts 'Unable to run as 2000:2000'
+    end
+  end
 end
 
 if ENV['DATABASE_URL'].to_s.split('@').last.to_s.split('/').first.to_s.include?('_')