diff --git a/backend/Dockerfile.prod b/backend/Dockerfile.prod
new file mode 100644
index 0000000..a96b0d7
--- /dev/null
+++ b/backend/Dockerfile.prod
@@ -0,0 +1,53 @@
+FROM python:3.11-slim
+
+# Set environment variables
+ENV PYTHONUNBUFFERED=1
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONPATH=/app
+ENV NODE_ENV=production
+ENV APP_ENV=production
+
+# Set work directory
+WORKDIR /app
+
+# Install system dependencies
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
+    build-essential \
+    libpq-dev \
+    postgresql-client \
+    curl \
+    ffmpeg \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy requirements and install Python dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Optional: Install NLP requirements if needed
+# COPY requirements-nlp.txt .
+# RUN pip install --no-cache-dir -r requirements-nlp.txt
+
+# Copy application code
+COPY . .
+
+# Copy and make migration script executable
+COPY scripts/migrate.sh /usr/local/bin/migrate.sh
+RUN chmod +x /usr/local/bin/migrate.sh
+
+# Create non-root user for security
+RUN useradd --create-home --shell /bin/bash app && \
+    chown -R app:app /app
+USER app
+
+# Create logs directory
+RUN mkdir -p logs
+
+# Expose port
+EXPOSE 8000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:8000/health || exit 1
+
+# Run the application in production mode
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
\ No newline at end of file
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..1d2166a
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,183 @@
+version: '3.8'
+
+services:
+  # Nginx reverse proxy - Internal routing only (since SSL is handled by host)
+  enclava-nginx:
+    image: nginx:alpine
+    ports:
+      - "50080:80"  # Port for host reverse proxy to connect to
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - nginx-logs:/var/log/nginx
+    depends_on:
+      - enclava-backend
+      - enclava-frontend
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Database migration service - runs once to apply migrations
+  enclava-migrate:
+    build: 
+      context: ./backend
+      dockerfile: Dockerfile.prod
+    environment:
+      - DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@enclava-postgres:5432/${POSTGRES_DB}
+    depends_on:
+      - enclava-postgres
+    command: ["/usr/local/bin/migrate.sh"]
+    networks:
+      - enclava-net
+    restart: "no"  # Run once and exit
+
+  # Main application backend - Production version
+  enclava-backend:
+    build: 
+      context: ./backend
+      dockerfile: Dockerfile.prod
+    environment:
+      - DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@enclava-postgres:5432/${POSTGRES_DB}
+      - REDIS_URL=redis://enclava-redis:6379
+      - QDRANT_HOST=enclava-qdrant
+      - JWT_SECRET=${JWT_SECRET}
+      - PRIVATEMODE_API_KEY=${PRIVATEMODE_API_KEY}
+      - ADMIN_EMAIL=${ADMIN_EMAIL}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD}
+      - LOG_LLM_PROMPTS=${LOG_LLM_PROMPTS:-false}
+      - BASE_URL=${BASE_URL}
+      - NODE_ENV=production
+      - APP_ENV=production
+    depends_on:
+      - enclava-migrate
+      - enclava-postgres
+      - enclava-redis
+      - enclava-qdrant
+      - privatemode-proxy
+    volumes:
+      - ./logs:/app/logs
+      - ./plugins:/plugins
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Next.js frontend - Production build
+  enclava-frontend:
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile
+      target: runner  # Use the production stage from multi-stage build
+    environment:
+      - BASE_URL=${BASE_URL}
+      - NEXT_PUBLIC_BASE_URL=${BASE_URL}
+      - BACKEND_INTERNAL_PORT=8000
+      - FRONTEND_INTERNAL_PORT=3000
+      - INTERNAL_API_URL=http://enclava-backend:8000
+      - NODE_ENV=production
+      - NEXT_TELEMETRY_DISABLED=1
+    depends_on:
+      - enclava-backend
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # PostgreSQL database
+  enclava-postgres:
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    volumes:
+      - enclava-postgres-data:/var/lib/postgresql/data
+      - ./postgres/postgresql.conf:/etc/postgresql/postgresql.conf:ro
+      - postgres-backups:/backups
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+
+  # Redis for caching and message queue
+  enclava-redis:
+    image: redis:7-alpine
+    command: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru
+    volumes:
+      - enclava-redis-data:/data
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Qdrant vector database
+  enclava-qdrant:
+    image: qdrant/qdrant:v1.7.4
+    environment:
+      - QDRANT__SERVICE__HTTP_PORT=6333
+      - QDRANT__SERVICE__GRPC_PORT=6334
+      - QDRANT__LOG_LEVEL=INFO
+    volumes:
+      - enclava-qdrant-data:/qdrant/storage
+      - ./qdrant/config.yaml:/qdrant/config/production.yaml:ro
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:6333/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Privatemode.ai service (optional - for confidential models)
+  privatemode-proxy:
+    image: ghcr.io/edgelesssys/privatemode/privatemode-proxy:latest
+    environment:
+      - PRIVATEMODE_API_KEY=${PRIVATEMODE_API_KEY}
+      - PRIVATEMODE_CACHE_MODE=${PRIVATEMODE_CACHE_MODE:-none}
+      - PRIVATEMODE_CACHE_SALT=${PRIVATEMODE_CACHE_SALT}
+    entrypoint: ["/bin/privatemode-proxy"]
+    command: [
+      "--apiKey=${PRIVATEMODE_API_KEY}",
+      "--port=8080"
+    ]
+    networks:
+      - enclava-net
+    restart: unless-stopped
+    profiles:
+      - privatemode
+
+  
+volumes:
+  enclava-postgres-data:
+    driver: local
+  enclava-redis-data:
+    driver: local
+  enclava-qdrant-data:
+    driver: local
+  nginx-logs:
+    driver: local
+
+networks:
+  enclava-net:
+    driver: bridge
\ No newline at end of file