diff --git a/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/api/Dockerfile b/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/api/Dockerfile
index 8e98200cc1..de41137c4a 100644
--- a/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/api/Dockerfile
+++ b/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/api/Dockerfile
@@ -12,4 +12,9 @@ RUN python -m spacy download nl_core_news_sm
 
 COPY . .
 
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "80"]
diff --git a/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/client_app/Dockerfile b/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/client_app/Dockerfile
index 56e61133c7..7f3b008ee1 100644
--- a/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/client_app/Dockerfile
+++ b/docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/client_app/Dockerfile
@@ -8,4 +8,9 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 CMD ["python", "serve.py"]
diff --git a/presidio-analyzer/Dockerfile b/presidio-analyzer/Dockerfile
index abc2c504e0..8d8e4d9473 100644
--- a/presidio-analyzer/Dockerfile
+++ b/presidio-analyzer/Dockerfile
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/default.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
 ENV RECOGNIZER_REGISTRY_CONF_FILE=${RECOGNIZER_REGISTRY_CONF_FILE}
@@ -32,6 +33,12 @@ COPY ./install_nlp_models.py /app/
 RUN poetry run python install_nlp_models.py --conf_file ${NLP_CONF_FILE}
 
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1
diff --git a/presidio-analyzer/Dockerfile.dev b/presidio-analyzer/Dockerfile.dev
index 09b1ddbdfe..3d8d3512a4 100644
--- a/presidio-analyzer/Dockerfile.dev
+++ b/presidio-analyzer/Dockerfile.dev
@@ -18,3 +18,8 @@ RUN apt-get update \
   && apt-get install -y build-essential
 
 RUN pip install poetry
+
+# Create a non-root user for development
+RUN useradd -m -u 1001 presidio
+
+USER 1001
diff --git a/presidio-analyzer/Dockerfile.stanza b/presidio-analyzer/Dockerfile.stanza
index 63c7929d57..c88ddc2f2b 100644
--- a/presidio-analyzer/Dockerfile.stanza
+++ b/presidio-analyzer/Dockerfile.stanza
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/default.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
 ENV RECOGNIZER_REGISTRY_CONF_FILE=${RECOGNIZER_REGISTRY_CONF_FILE}
@@ -31,6 +32,12 @@ COPY ./install_nlp_models.py /app/
 RUN poetry run python install_nlp_models.py --conf_file ${NLP_CONF_FILE}
 
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1
diff --git a/presidio-analyzer/Dockerfile.transformers b/presidio-analyzer/Dockerfile.transformers
index 656e0626b8..0c19d70fad 100644
--- a/presidio-analyzer/Dockerfile.transformers
+++ b/presidio-analyzer/Dockerfile.transformers
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/transformers.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 WORKDIR /app
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
@@ -28,6 +29,12 @@ COPY ./install_nlp_models.py /app/
 RUN poetry run python install_nlp_models.py --conf_file ${NLP_CONF_FILE}
 
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1
diff --git a/presidio-analyzer/Dockerfile.windows b/presidio-analyzer/Dockerfile.windows
index af1d407b1e..4503541a55 100644
--- a/presidio-analyzer/Dockerfile.windows
+++ b/presidio-analyzer/Dockerfile.windows
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/default.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 ENV PORT=3000
 WORKDIR /app
 
@@ -32,6 +33,11 @@ COPY ${NLP_CONF_FILE} ${NLP_CONF_FILE}
 RUN poetry run python install_nlp_models.py --conf_file $Env:NLP_CONF_FILE
 
 COPY . .
+
+# Create a non-root user for Windows container
+RUN net user presidio /add
+USER presidio
+
 EXPOSE ${PORT}
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
diff --git a/presidio-anonymizer/Dockerfile b/presidio-anonymizer/Dockerfile
index ff80674c52..dc25f5eb90 100644
--- a/presidio-anonymizer/Dockerfile
+++ b/presidio-anonymizer/Dockerfile
@@ -1,6 +1,7 @@
 FROM python:3.13-slim
 
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV PORT=3000
 ENV WORKERS=1
@@ -15,6 +16,11 @@ RUN pip install poetry && poetry install --no-root --only=main -E server
 
 COPY . /app/
 
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1
diff --git a/presidio-anonymizer/Dockerfile.dev b/presidio-anonymizer/Dockerfile.dev
index 79ab1eb916..98cf196329 100644
--- a/presidio-anonymizer/Dockerfile.dev
+++ b/presidio-anonymizer/Dockerfile.dev
@@ -5,3 +5,8 @@ RUN apt-get update \
   && apt-get install -y build-essential
 
 RUN pip install poetry
+
+# Create a non-root user for development
+RUN useradd -m -u 1001 presidio
+
+USER 1001
diff --git a/presidio-anonymizer/Dockerfile.windows b/presidio-anonymizer/Dockerfile.windows
index 274ad5aec8..347e7786fd 100644
--- a/presidio-anonymizer/Dockerfile.windows
+++ b/presidio-anonymizer/Dockerfile.windows
@@ -1,6 +1,7 @@
 FROM python:3.13-windowsservercore
 
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 ENV PORT=3000
 
 WORKDIR /app
@@ -10,6 +11,10 @@ RUN python.exe -m pip install --upgrade pip; pip install poetry; poetry install
 
 COPY . /app/
 
+# Create a non-root user for Windows container
+RUN net user presidio /add
+USER presidio
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD powershell -Command "try { Invoke-WebRequest -Uri http://localhost:$env:PORT/health -UseBasicParsing | Out-Null; exit 0 } catch { exit 1 }"
diff --git a/presidio-image-redactor/Dockerfile b/presidio-image-redactor/Dockerfile
index 131fd250b5..e23a7c14a9 100644
--- a/presidio-image-redactor/Dockerfile
+++ b/presidio-image-redactor/Dockerfile
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE
 ARG ANALYZER_CONF_FILE
 ARG RECOGNIZER_REGISTRY_CONF_FILE
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
 ENV RECOGNIZER_REGISTRY_CONF_FILE=${RECOGNIZER_REGISTRY_CONF_FILE}
@@ -26,7 +27,16 @@ RUN apt-get update \
 COPY ./pyproject.toml /app/
 RUN pip install poetry && poetry install --no-root --only=main -E server
 
+# Install spaCy model during build (as root) so it's available to non-root user at runtime
+RUN python -m spacy download en_core_web_lg
+
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1
diff --git a/presidio-image-redactor/Dockerfile.dev b/presidio-image-redactor/Dockerfile.dev
index 1838975f86..b564267909 100644
--- a/presidio-image-redactor/Dockerfile.dev
+++ b/presidio-image-redactor/Dockerfile.dev
@@ -14,3 +14,8 @@ RUN apt-get update  \
 && apt-get install ffmpeg libsm6 libxext6  -y
 
 RUN pip install poetry
+
+# Create a non-root user for development
+RUN useradd -m -u 1001 presidio
+
+USER 1001