diff --git a/.env.example b/.env.example
index 8fa3982..5edf74c 100644
--- a/.env.example
+++ b/.env.example
@@ -14,6 +14,12 @@ OTX_API_KEY=
 # (raises throttling from ~5 to ~50 requests / 30s)
 NVD_API_KEY=
 
+# --- Production-only: Let's Encrypt email for the acme-companion sidecar ---
+# Used as the contact address for the TLS cert acme-companion issues for
+# psyc.neuronetz.ai. Safe to leave the default in dev (cert isn't issued
+# without a reachable acme-companion + public DNS + :443).
+# LETSENCRYPT_EMAIL=admin@neuronetz.ai
+
 # --- Internal service URLs — overridden in docker compose; defaults for venv CLI ---
 # PSYC_MOCK_CERT_URL=http://127.0.0.1:8770
 # PSYC_INFERENCE_URL=http://127.0.0.1:8771
diff --git a/docker-compose.yml b/docker-compose.yml
index 6a10a7a..9ca670b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,6 +20,12 @@ services:
     environment:
       VIRTUAL_HOST: psyc.neuronetz.ai
       VIRTUAL_PORT: "8767"
+      # Triggers nginxproxy/acme-companion (which must be running alongside
+      # nginx-proxy on the host) to issue + auto-renew a Let's Encrypt cert
+      # for psyc.neuronetz.ai. LETSENCRYPT_EMAIL comes from .env so per-env
+      # configurable — falls back to the default if unset.
+      LETSENCRYPT_HOST: psyc.neuronetz.ai
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-admin@neuronetz.ai}
       PSYC_MOCK_CERT_URL: http://mock-cert:8770
       PSYC_SOAR_URL: http://mock-cert:8770
       PSYC_INFERENCE_URL: http://inference:8771