diff --git a/charts/visual-tom/Chart.yaml b/charts/visual-tom/Chart.yaml
index 44233ae..d25f87a 100644
--- a/charts/visual-tom/Chart.yaml
+++ b/charts/visual-tom/Chart.yaml
@@ -7,7 +7,7 @@ description: >
 type: application
 
 # Chart version (follows SemVer). Increment on every chart change.
-version: 0.1.0
+version: 0.2.0
 
 # Reference application version (VTOM). ITC, ITM and MFT versions are defined in values.yaml.
 appVersion: "7.3.2c"
diff --git a/charts/visual-tom/templates/itc/deployment.yaml b/charts/visual-tom/templates/itc/deployment.yaml
index 21bc98f..09b8876 100644
--- a/charts/visual-tom/templates/itc/deployment.yaml
+++ b/charts/visual-tom/templates/itc/deployment.yaml
@@ -35,8 +35,10 @@ spec:
       automountServiceAccountToken: false
       {{- include "vtom.imagePullSecrets" . | nindent 6 }}
       securityContext:
-        runAsNonRoot: false  # TODO: activer avec runAsUser quand UID confirmé par Absyss
-        fsGroup: 0
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
         seccompProfile:
           type: RuntimeDefault
       initContainers:
diff --git a/charts/visual-tom/templates/itm/deployment.yaml b/charts/visual-tom/templates/itm/deployment.yaml
index b381f0d..de58e86 100644
--- a/charts/visual-tom/templates/itm/deployment.yaml
+++ b/charts/visual-tom/templates/itm/deployment.yaml
@@ -35,8 +35,10 @@ spec:
       automountServiceAccountToken: false
       {{- include "vtom.imagePullSecrets" . | nindent 6 }}
       securityContext:
-        runAsNonRoot: false  # TODO: activer avec runAsUser quand UID confirmé par Absyss
-        fsGroup: 0
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
         seccompProfile:
           type: RuntimeDefault
       initContainers:
@@ -44,28 +46,6 @@ spec:
         {{- if .Values.dbProxy.enabled }}
         {{- include "vtom.initContainer.waitForDb" . | nindent 8 }}
         {{- end }}
-        - name: prepare-itm-data
-          image: busybox:1.36
-          command:
-            - sh
-            - -c
-            - |
-              mkdir -p /var/lib/absyss/visual-it-messenger/log
-              mkdir -p /var/lib/absyss/visual-it-messenger/license
-          resources:
-            requests:
-              cpu: "10m"
-              memory: "16Mi"
-            limits:
-              cpu: "10m"
-              memory: "16Mi"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
-          volumeMounts:
-            - name: itm-data
-              mountPath: /var/lib/absyss/visual-it-messenger
       containers:
         - name: itm
           image: {{ include "itm.image" . | quote }}
diff --git a/charts/visual-tom/templates/vtom/deployment-apiserver.yaml b/charts/visual-tom/templates/vtom/deployment-apiserver.yaml
index c6d278e..c3e8260 100644
--- a/charts/visual-tom/templates/vtom/deployment-apiserver.yaml
+++ b/charts/visual-tom/templates/vtom/deployment-apiserver.yaml
@@ -104,8 +104,15 @@ spec:
           volumeMounts:
             - name: customer-data
               mountPath: /var/lib/absyss/visual-tom
+            # Mount the license secret inside the PVC (customer-data) so the entrypoint
+            # symlink /opt/absyss/visual-tom/license -> /var/lib/absyss/visual-tom/license
+            # works as intended. Mounting under /opt/.../license/ instead would turn that
+            # directory into a non-removable mountpoint, the rm -rf + ln -s would silently
+            # misfire, and license.data / license.diagnostic / license.events written by
+            # the Java code would land on the container rootfs (lost at each restart →
+            # a new License Server "Register instance" every reboot → quota burn).
             - name: license
-              mountPath: /opt/absyss/visual-tom/license/{{ .Values.vtom.license.secretKey }}
+              mountPath: /var/lib/absyss/visual-tom/license/{{ .Values.vtom.license.secretKey }}
               subPath: {{ .Values.vtom.license.secretKey }}
               readOnly: true
       volumes:
diff --git a/charts/visual-tom/values-client-template.yaml b/charts/visual-tom/values-client-template.yaml
index 53cc030..f19c47a 100644
--- a/charts/visual-tom/values-client-template.yaml
+++ b/charts/visual-tom/values-client-template.yaml
@@ -174,6 +174,9 @@ mft:
 
     # Restrict allowed IPs — RECOMMENDED in production.
     # Leaving empty opens access from the entire VNet (internal LB) or internet (public LB).
+    # IMPORTANT: this only filters at the LoadBalancer level. To also allow the same
+    # external CIDRs through the K8s NetworkPolicy on the MFT pod, mirror them in
+    # networkPolicy.sftpExternalCidrs below. Both layers must allow the traffic.
     loadBalancerSourceRanges: []
     # - "10.0.0.0/8"        # Internal network
     # - "185.1.2.3/32"      # Fixed IP of partner SFTP clients
@@ -193,6 +196,22 @@ mft:
   # nodeSelector: {}
   # affinity: {}
 
+# -----------------------------------------------------------------------------
+# NetworkPolicy
+# Cluster-side firewall on the MFT pod (in addition to the cloud LoadBalancer
+# firewall configured via mft.sftpService.loadBalancerSourceRanges).
+# -----------------------------------------------------------------------------
+networkPolicy:
+  # External CIDRs allowed to reach the MFT SFTP port (30022) at the pod level.
+  # MUST mirror mft.sftpService.loadBalancerSourceRanges for external SFTP clients
+  # to actually reach the pod — both filtering layers apply in series.
+  # With MFT externalTrafficPolicy: Local (default), the pod sees the real client IP,
+  # so list the actual partner CIDRs here.
+  # Leave empty to restrict SFTP to internal/agent traffic only (production default).
+  sftpExternalCidrs: []
+  # - "203.0.113.0/24"      # Partner network A
+  # - "198.51.100.10/32"    # Fixed IP of partner SFTP client
+
 # -----------------------------------------------------------------------------
 # Database — connection
 # FQDN or IP of the PostgreSQL 17 server accessible from the cluster.
diff --git a/charts/visual-tom/values.yaml b/charts/visual-tom/values.yaml
index 7637d10..a24d43e 100644
--- a/charts/visual-tom/values.yaml
+++ b/charts/visual-tom/values.yaml
@@ -512,13 +512,14 @@ networkPolicy:
   sftpExternalCidrs: []
 
 # -----------------------------------------------------------------------------
-# Pod security context
+# Pod security context — applies to VTOM components only (server, apiserver, agent).
 # runAsUser: numeric UID required on standard K8s when the image uses a symbolic
 # user (e.g.: USER vtom) — K8s cannot verify runAsNonRoot without a numeric UID.
 # Leave null on OpenShift: the nonroot SCC assigns the UID automatically from the
 # namespace range, avoiding conflicts with a hardcoded UID.
-# Recommended value for VTOM images (server, apiserver, agent): 1000
-# ITC and ITM still run as root — not applicable for now.
+# Recommended value for VTOM images (server, apiserver, agent): 1000 (set in values-<cloud>.yaml).
+# ITC, ITM and MFT run under their own hardcoded uid 10001 (absyss) in their templates
+# and ignore this value.
 # -----------------------------------------------------------------------------
 securityContext:
   runAsUser: null