diff --git a/infra/overlays/upc-dev/kustomization.yaml b/infra/overlays/upc-dev/kustomization.yaml
index fac7510..289efcc 100644
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -4,6 +4,8 @@ resources:
 - ../../base
 - vaultwarden-postgresql
 - vaultwarden
+- passwordpusher-postgresql
+- passwordpusher
 
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
new file mode 100644
index 0000000..9734af9
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- passwordpusher-postgresql.yaml
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
new file mode 100644
index 0000000..126f49e
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/passwordpusher-postgresql.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: passwordpusher
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwordpusher-postgresql
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: passwordpusher-postgresql
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwordpusher
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/volumeClaimTemplates
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
new file mode 100644
index 0000000..17c4086
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- postgresql.yaml
+# passwordpusher-db-secret-sealed.yaml must be created separately:
+# 1. Create a Secret with keys: DATABASE_URL, pgusername, pgpassword
+#    (DATABASE_URL must be: postgresql://<pgusername>:<pgpassword>@passwordpusher-postgresql:5432/passwordpusher)
+# 2. Seal it with kubeseal targeting the passwordpusher namespace
+# 3. Add the resulting file here as a resource
diff --git a/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
new file mode 100644
index 0000000..8bca15c
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher-postgresql/resources/postgresql.yaml
@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwordpusher-postgresql
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: database
+spec:
+  type: ClusterIP
+  ports:
+  - name: tcp-postgresql
+    port: 5432
+    targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: passwordpusher-postgresql
+  namespace: passwordpusher
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: passwordpusher
+    app.kubernetes.io/component: database
+spec:
+  serviceName: passwordpusher-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/instance: passwordpusher
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/instance: passwordpusher
+        app.kubernetes.io/component: database
+    spec:
+      containers:
+      - name: postgresql
+        image: postgres:16-alpine
+        ports:
+        - name: tcp-postgresql
+          containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: passwordpusher-db-creds
+              key: pgusername
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: passwordpusher-db-creds
+              key: pgpassword
+        - name: POSTGRES_DB
+          value: passwordpusher
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - pg_isready -U "$POSTGRES_USER" -d passwordpusher
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi
diff --git a/infra/overlays/upc-dev/passwordpusher/kustomization.yaml b/infra/overlays/upc-dev/passwordpusher/kustomization.yaml
new file mode 100644
index 0000000..46f0c33
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- passwordpusher.yaml
diff --git a/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
new file mode 100644
index 0000000..89a24be
--- /dev/null
+++ b/infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: passwordpusher
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+  labels:
+    app.kubernetes.io/name: passwordpusher
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://pglombardo.github.io/passwordpusher-charts
+    chart: password-pusher
+    targetRevision: "1.4.4"
+    helm:
+      releaseName: passwordpusher
+      valueFiles:
+      - $values/infra/values/base/passwordpusher-values.yaml
+      - $values/infra/values/upc-dev/passwordpusher-values.yaml
+
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: passwordpusher
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
diff --git a/infra/values/base/passwordpusher-values.yaml b/infra/values/base/passwordpusher-values.yaml
new file mode 100644
index 0000000..f168a30
--- /dev/null
+++ b/infra/values/base/passwordpusher-values.yaml
@@ -0,0 +1,7 @@
+image:
+  repository: docker.io/pglombardo/pwpush
+  tag: "release-1.51.0"
+
+# Disable the bundled postgresql subchart — we run our own StatefulSet
+postgresql:
+  enabled: false
diff --git a/infra/values/upc-dev/passwordpusher-values.yaml b/infra/values/upc-dev/passwordpusher-values.yaml
new file mode 100644
index 0000000..63c1b2c
--- /dev/null
+++ b/infra/values/upc-dev/passwordpusher-values.yaml
@@ -0,0 +1,50 @@
+env:
+  PWP__HOST_DOMAIN: pwpush.forteapps.net
+  PWP__HOST_PROTOCOL: https
+  PWP__ENABLE_LOGINS: "true"
+  PWP__ALLOW_ANONYMOUS: "false"
+  PWP__SIGNUPS_ENABLED: "false"
+  PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
+  PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
+  PWP__MAIL_SMTP_PORT: "587"
+  PWP__MAIL_SMTP_AUTHENTICATION: login
+  PWP__MAIL_SMTP_STARTTLS: "true"
+  PWP__MAIL_SMTP_DOMAIN: fortedigital.com
+  PWP__MAIL_SENDER: noreply@fortedigital.com
+
+envFrom:
+- secretRef:
+    name: passwordpusher-db-creds
+- secretRef:
+    name: passwordpusher-smtp-creds
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "PasswordPusher"
+    gethomepage.dev/description: "Share passwords securely with expiring links"
+    gethomepage.dev/group: "Security"
+    gethomepage.dev/icon: "passwordpusher"
+    gethomepage.dev/href: "https://pwpush.forteapps.net"
+  hosts:
+  - host: pwpush.forteapps.net
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: passwordpusher-tls
+    hosts:
+    - pwpush.forteapps.net
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+replicaCount: 1