diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh
index b95ac416c..98f7781e4 100755
--- a/bin/helm-operations.sh
+++ b/bin/helm-operations.sh
@@ -8,9 +8,9 @@ TARGET_SYSTEM="example.dev"
 CERT_MASTER_EMAIL="certmaster@${TARGET_SYSTEM}"
 
 # this IP should match the DNS A record value for TARGET_SYSTEM
-# assuming it to be the public address used by clients to reach public Address 
+# assuming it to be the public address used by clients to reach public Address
 HOST_IP=""
-if [ -z "$HOST_IP" ]; then 
+if [ -z "$HOST_IP" ]; then
 HOST_IP=$(wget -qO- https://api.ipify.org)
 fi
 
@@ -145,7 +145,9 @@ deploy_charts() {
          "$BASE_DIR/bin/sync-k8s-secret-to-wire-secrets.sh" \
           wire-postgresql-secret password \
           "$BASE_DIR/values/wire-server/secrets.yaml" \
-          .brig.secrets.pgPassword .galley.secrets.pgPassword
+          .brig.secrets.pgPassword \
+          .galley.secrets.pgPassword \
+          .background-worker.secrets.pgPassword
       else
         echo "⚠️  Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync"
         echo "    Make sure databases-ephemeral chart is deployed before wire-server"
diff --git a/changelog.d/3-deploy-builds/wire-server-5.27 b/changelog.d/3-deploy-builds/wire-server-5.27
new file mode 100644
index 000000000..eef103064
--- /dev/null
+++ b/changelog.d/3-deploy-builds/wire-server-5.27
@@ -0,0 +1 @@
+Added: update prod and demo example values/secrets for wire-server 5.27, aligning PostgreSQL config, postgresMigration (conversation, teamFeatures), rabbitmq, and mlsPrivateKeys across all services
diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh
index 0ee754d9e..204bcd589 100755
--- a/offline/tasks/proc_pull_charts.sh
+++ b/offline/tasks/proc_pull_charts.sh
@@ -94,5 +94,5 @@ pull_charts() {
   #fi
 }
 
-wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/7b0217a27c1b127bf8f1fedbea9ec03a1e277d5a/build.json"
+wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/ecd204f07540e79fc1febe2483a42111129a5d0d/build.json"
 wire_build_chart_release "$wire_build" | pull_charts
diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml
index 7bc5ecad3..788287afd 100644
--- a/values/wire-server/demo-secrets.example.yaml
+++ b/values/wire-server/demo-secrets.example.yaml
@@ -61,6 +61,20 @@ galley:
     rabbitmq:
       username: wire-server
       password: verysecurepassword
+    mlsPrivateKeys:
+      removal:
+        ed25519: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp256r1_sha256: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp384r1_sha384: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
+        ecdsa_secp521r1_sha512: |
+          -----BEGIN PRIVATE KEY-----
+          -----END PRIVATE KEY-----
 
 gundeck:
   secrets:
@@ -96,6 +110,7 @@ nginz:
 # RabbitMQ credentials for background-worker.
 background-worker:
   secrets:
+    pgPassword: dummyPassword # gets replaced by the actual secret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml
index fed128a0a..db7ce569d 100644
--- a/values/wire-server/demo-values.example.yaml
+++ b/values/wire-server/demo-values.example.yaml
@@ -127,7 +127,9 @@ cannon:
   # For demo mode only, we don't need to keep websocket connections open on chart upgrades
   drainTimeout: 10
   config:
-    cassandra: 
+    rabbitmq:
+      host: rabbitmq
+    cassandra:
       host: cassandra-ephemeral
   metrics:
     serviceMonitor:
@@ -170,6 +172,9 @@ galley:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    postgresMigration:
+      conversation: cassandra
+      teamFeatures: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
@@ -199,6 +204,8 @@ gundeck:
 #  image:
 #    tag: some-tag (only override if you want a newer/different version than what is in the chart)
   config:
+    rabbitmq:
+      host: rabbitmq
     cassandra:
       host: cassandra-ephemeral
     aws:
@@ -292,8 +299,24 @@ spar:
 
 background-worker:
   config:
+    federationDomain: example.com
+    rabbitmq:
+      host: rabbitmq
     cassandra:
       host: cassandra-ephemeral
+    cassandraGalley:
+      host: cassandra-ephemeral
+    cassandraBrig:
+      host: cassandra-ephemeral
+    postgresql:
+      host: postgresql # DNS name without protocol
+      port: "5432"
+      user: wire-server
+      dbname: wire-server
+    postgresMigration:
+      conversation: cassandra
+      teamFeatures: cassandra
+    # migrateTeamFeatures: false # Set to true only AFTER setting galley postgresMigration.teamFeatures to migration-to-postgresql
     # Enable for federation
     enableFederation: false
   metrics:
diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml
index 23365c9af..c60a0f434 100644
--- a/values/wire-server/prod-secrets.example.yaml
+++ b/values/wire-server/prod-secrets.example.yaml
@@ -99,6 +99,7 @@ nginz:
 # RabbitMQ credentials for background-worker.
 background-worker:
   secrets:
+    pgPassword: verysecurepassword
     rabbitmq:
       username: guest
       password: guest
diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml
index 9af281071..92ac238cc 100644
--- a/values/wire-server/prod-values.example.yaml
+++ b/values/wire-server/prod-values.example.yaml
@@ -28,13 +28,16 @@ brig:
     elasticsearch:
       host: elasticsearch-external
     rabbitmq:
-      host: rabbitmq-external 
-      # For k8s-based RabbitMQ for k8s based rabbitmq. Use 'rabbitmq-external' for production external RabbitMQ VMs
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
+      host: rabbitmq-external
     postgresql:
       host: postgresql-external-rw # DNS name without protocol
       port: "5432"
       user: wire-server
       dbname: wire-server
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     useSES: false
     # Set to false if you want to hand out DynamoDB to store prekeys
     randomPrekeys: true
@@ -52,11 +55,10 @@ brig:
       teamSettings: https://teams.example.com # change this (or unset if team settings are not used)
       teamCreatorWelcome: https://teams.example.com/login # change this
       teamMemberWelcome: https://wire.example.com/download # change this
-    # TODO: BUG! 5.23 brig charts wont deploy in CI unless federation is enabled!
-    enableFederation: true # Enable to use federation
+    enableFederation: false # Keep false unless federation is explicitly configured
     optSettings:
       setEnableMLS: false # Enable for MLS protocol use
-      setFederationDomain: example.com # change this
+      setFederationDomain: example.com # change this per host deployment
       # Sync the domain with the 'host' variable in the sftd chart
       # Comment the next line (by adding '#' before it) if conference calling is not used
       setSftStaticUrl: "https://sftd.example.com:443"
@@ -92,7 +94,9 @@ brig:
         deletionUrl: https://account.example.com/d/?key=${key}&code=${code}
         invitationUrl: https://account.example.com/i/${code}
     smtp:
-      host: smtp # change this if you want to use your own SMTP server
+      # Default: smtp (for CI/demo environments with demo-smtp chart)
+      # Production: Change to your actual SMTP server hostname
+      host: smtp
       port: 25        # change this
       connType: plain # change this. Possible values: plain|ssl|tls
 #    proxy:
@@ -133,7 +137,9 @@ cannon:
   # For demo mode only, we don't need to keep websocket connections open on chart upgrades
   drainTimeout: 10
   config:
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     cassandra:
       host: cassandra-external
@@ -170,13 +176,22 @@ galley:
   config:
     cassandra:
       host: cassandra-external
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     postgresql:
       host: postgresql-external-rw # DNS name without protocol
       port: "5432"
       user: wire-server
       dbname: wire-server
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
+    # Explicitly set postgresMigration to cassandra for fresh deployments.
+    # This controls whether galley reads conversations/teamFeatures from Cassandra or PostgreSQL.
+    postgresMigration:
+      conversation: cassandra
+      teamFeatures: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
@@ -184,7 +199,7 @@ galley:
       federationDomain: example.com # change this
       # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
       featureFlags:
-        mls:
+        mls: # Keep disabled unless MLS is explicitly configured
           defaults:
             status: enabled
             config:
@@ -194,7 +209,7 @@ galley:
               defaultCipherSuite: 2
               supportedProtocols: [proteus, mls]
             lockStatus: unlocked
-        mlsMigration:
+        mlsMigration: # Keep disabled unless MLS migration is explicitly configured
           defaults:
             status: enabled
             config:
@@ -231,7 +246,11 @@ gundeck:
 #  image:
 #    tag: some-tag (only override if you want a newer/different version than what is in the chart)
   config:
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    redis:
+      host: databases-ephemeral-redis-ephemeral # Updated hostname for redis-ephemeral chart
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     cassandra:
       host: cassandra-external
@@ -337,7 +356,9 @@ background-worker:
   config:
     federationDomain: example.com
     # logLevel: Debug
-    rabbitmq: # Default value for CI, for on-prem deployment, use rabbitmq-external
+    rabbitmq:
+      # Default: rabbitmq-external (for production external RabbitMQ VMs)
+      # CI/Demo: Change to rabbitmq when using rabbitmq chart from databases-ephemeral
       host: rabbitmq-external
     cassandra:
       host: cassandra-external
@@ -345,6 +366,16 @@ background-worker:
       host: cassandra-external
     cassandraBrig:
       host: cassandra-external
+    postgresql:
+      host: postgresql-external-rw # DNS name without protocol
+      port: "5432"
+      user: wire-server
+      dbname: wire-server
+    postgresqlPool:
+      size: 5 # Background worker has fewer connections to DB, so smaller pool size is fine
+    postgresMigration:
+      conversation: cassandra
+      teamFeatures: cassandra
     # Enable for federation
     enableFederation: false
   metrics: