diff --git a/web/docker-compose.yml b/web/docker-compose.yml
index dea68c8..8b63c42 100644
--- a/web/docker-compose.yml
+++ b/web/docker-compose.yml
@@ -27,7 +27,7 @@ services:
       - inventory-network
     depends_on:
       server:
-        condition: service_started
+        condition: service_healthy
     restart: unless-stopped
 
 networks:
diff --git a/web/server/Dockerfile b/web/server/Dockerfile
index 3d3468e..abb0aaa 100644
--- a/web/server/Dockerfile
+++ b/web/server/Dockerfile
@@ -2,7 +2,8 @@
 FROM node:18-alpine
 
 # Build tools needed for better-sqlite3 native compilation
-RUN apk add --no-cache python3 make g++
+# su-exec for dropping privileges in entrypoint
+RUN apk add --no-cache python3 make g++ su-exec
 
 WORKDIR /app
 
@@ -15,16 +16,18 @@ RUN apk del python3 make g++
 
 COPY . .
 
-# Create data directory for SQLite with proper ownership
-RUN mkdir -p /data && chown node:node /data
+# Create data directory for SQLite
+RUN mkdir -p /data
 VOLUME /data
 
-# Run as non-root user for security
-USER node
+# Entrypoint fixes /data permissions then drops to node user
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
 EXPOSE 3001
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
   CMD node -e "require('http').get('http://localhost:3001/api/health',r=>{process.exit(r.statusCode===200?0:1)}).on('error',()=>process.exit(1))"
 
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["node", "server.js"]
diff --git a/web/server/docker-entrypoint.sh b/web/server/docker-entrypoint.sh
new file mode 100755
index 0000000..042a099
--- /dev/null
+++ b/web/server/docker-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+# Ensure data directory exists and is writable by the node user
+mkdir -p /data
+chown node:node /data
+
+# Drop privileges and exec the CMD
+exec su-exec node "$@"