diff --git a/devops/gc/deploy/templates/deployment.yaml b/devops/gc/deploy/templates/deployment.yaml
index 3f22bdecc4f23ea6fa6f454681564bda82509520..71a8cb86e3703e05c3940ba13328b1a30008fd70 100644
--- a/devops/gc/deploy/templates/deployment.yaml
+++ b/devops/gc/deploy/templates/deployment.yaml
@@ -38,7 +38,7 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 0
+            runAsNonRoot: true
           ports:
             - containerPort: 8080
           resources:
diff --git a/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild b/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild
index d9a1915cbca9b862ed42c568e77012b2c8055389..ed50fe0edbdc10e6129533f4661ca1a36793bc86 100644
--- a/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild
@@ -6,5 +6,10 @@ ARG PORT
 ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/notification-${PROVIDER_NAME}/target/notification-${PROVIDER_NAME}-*-spring-boot.jar notification-${PROVIDER_NAME}.jar
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/notification-${PROVIDER_NAME}.jar