diff --git a/Apps/Spliit/docker-compose.yml b/Apps/Spliit/docker-compose.yml
index 903c60b..73eb72d 100644
--- a/Apps/Spliit/docker-compose.yml
+++ b/Apps/Spliit/docker-compose.yml
@@ -1,10 +1,10 @@
 name: spliit
 services:
   nginxhashlock:
-    image: ghcr.io/yundera/nginx-hash-lock:latest
+    image: ghcr.io/yundera/nginx-hash-lock:1.0.7
     container_name: spliit-nginxhashlock
     restart: unless-stopped
-    user: "root"
+    user: "0:0"
     environment:
       AUTH_HASH: $AUTH_HASH
       BACKEND_HOST: "spliit"
@@ -31,15 +31,12 @@ services:
     cpu_shares: 80
     networks:
       - pcs
-    privileged: true
-    cap_add:
-      - SYS_ADMIN
-      - NET_ADMIN
 
   db:
-    image: postgres:16-alpine
+    image: postgres:16.13-alpine
     container_name: spliit-db
-    user: 0:0
+    user: "0:0"
+    cpu_shares: 50
     environment:
       POSTGRES_DB: spliit
       POSTGRES_USER: postgres
@@ -59,15 +56,14 @@ services:
     image: ghcr.io/spliit-app/spliit:1.19.0
     container_name: spliit
     restart: unless-stopped
+    user: "0:0"
+    cpu_shares: 50
     environment:
       TZ: $TZ
       POSTGRES_PRISMA_URL: postgresql://postgres:$APP_DEFAULT_PASSWORD@db:5432/spliit
       POSTGRES_URL_NON_POOLING: postgresql://postgres:$APP_DEFAULT_PASSWORD@db:5432/spliit
     networks:
       - pcs
-    cap_add:
-      - SYS_ADMIN
-      - NET_ADMIN
     deploy:
       resources:
         limits:
diff --git a/Apps/Spliit/rationale.md b/Apps/Spliit/rationale.md
new file mode 100644
index 0000000..f83f8bc
--- /dev/null
+++ b/Apps/Spliit/rationale.md
@@ -0,0 +1,23 @@
+# Spliit — Rationale
+
+## What deviation / exception is being requested
+All three services run as `user: 0:0` (root). The nginx-hash-lock sidecar gates web access with a hash-based authentication layer.
+
+## Why it is necessary
+- **spliit**: The Node.js application runs Prisma database migrations on startup, which requires write access to the working directory. Running as non-root causes migration failures.
+- **db (PostgreSQL)**: Requires root for database initialization and file ownership in `/var/lib/postgresql/data`. Standard practice for PostgreSQL containers.
+- **nginxhashlock**: The nginx-hash-lock sidecar needs root to bind to port 80 and configure nginx.
+
+## Security mitigations in place
+- All volumes map exclusively to `/DATA/AppData/$AppID/` — no access to user directories
+- No privileged mode on any service
+- Memory limits on all services (128M nginx, 512M db, 1G app)
+- Web access gated by nginx-hash-lock sidecar (hash-based authentication)
+- Database credentials use `$APP_DEFAULT_PASSWORD` (not hardcoded)
+
+## Alternatives considered and rejected
+- `user: $PUID:$PGID` — Prisma migrations fail without root; PostgreSQL init requires root for data directory ownership
+
+## Data protection
+- PostgreSQL data persists in `/DATA/AppData/$AppID/pgdata/`
+- Data survives uninstall/reinstall