diff --git a/docker-compose.production.yml b/docker-compose.production.yml
index fb51c04b..edafb717 100644
--- a/docker-compose.production.yml
+++ b/docker-compose.production.yml
@@ -169,6 +169,9 @@ services:
     # Redis will run as root, but this is acceptable for this use case
     cap_drop:
       - ALL
+    cap_add:
+      - CHOWN        # Required for creating appendonlydir with correct permissions
+      - DAC_OVERRIDE # Required for writing to /data volume owned by redis user
 
     # Use entrypoint script to inject password from Docker Secret into environment
     # This makes password available to both Redis startup AND health check