diff --git a/modules/lamassu-lnbits.nix b/modules/lamassu-lnbits.nix
index 0015d99..996841e 100644
--- a/modules/lamassu-lnbits.nix
+++ b/modules/lamassu-lnbits.nix
@@ -281,11 +281,11 @@ in
         TimeoutStartSec = "30min";
         KillMode = "process";
         KillSignal = "SIGTERM";
-        # Disable sandboxing for build
-        PrivateTmp = false;
-        ProtectSystem = false;
-        ProtectHome = false;
-        NoNewPrivileges = false;
+        # Sandboxing with write access to data directory
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        ReadWritePaths = [ cfg.dataDir ];
       };
 
       script = ''