diff --git a/Deployment.md b/Deployment.md
new file mode 100644
index 0000000..89d51dd
--- /dev/null
+++ b/Deployment.md
@@ -0,0 +1,113 @@
+# Deployment
+
+Текущий production-like способ запуска — Docker Compose из `compose.yaml`.
+
+## Сервисы Compose
+
+`db`:
+
+- image: `postgres:17-alpine`;
+- database: `gmrelay_db`;
+- user: `gmrelay`;
+- password: `${POSTGRES_PASSWORD}`;
+- volume: `pgdata`;
+- healthcheck: `pg_isready`.
+
+`bot`:
+
+- image: `git.codeanddice.ru/toutsu/gmrelay-bot:1.1.5`;
+- depends on healthy `db`;
+- env: `ConnectionStrings__gmrelaydb`, `Telegram__BotToken`.
+
+`web`:
+
+- image: `git.codeanddice.ru/toutsu/gmrelay-web:1.1.5`;
+- depends on healthy `db`;
+- env: `ConnectionStrings__gmrelaydb`, `Telegram__BotToken`, `Telegram__BotUsername`;
+- port: `${GMRELAY_WEB_PORT:-8080}:8080`;
+- volume: `web_keys` for ASP.NET Data Protection keys.
+
+## Environment variables
+
+Required:
+
+```env
+TELEGRAM_BOT_TOKEN=...
+TELEGRAM_BOT_USERNAME=...
+POSTGRES_PASSWORD=...
+```
+
+Optional:
+
+```env
+GMRELAY_WEB_PORT=8080
+POSTGRES_VOLUME_NAME=game_pgdata
+WEB_KEYS_VOLUME_NAME=gmrelay_web_keys
+```
+
+Do not commit real `.env` files.
+
+## Start and stop
+
+Start:
+
+```bash
+docker compose up -d
+```
+
+View logs:
+
+```bash
+docker compose logs -f bot
+docker compose logs -f web
+```
+
+Stop services but keep volumes:
+
+```bash
+docker compose down
+```
+
+Stop and remove data volumes only when intentionally resetting the environment:
+
+```bash
+docker compose down -v
+```
+
+## Data persistence
+
+- PostgreSQL data is stored in the `pgdata` volume.
+- Web authentication/data-protection keys are stored in the `web_keys` volume.
+
+The `web_keys` volume matters because cookie auth uses ASP.NET Data Protection. Without persistent keys, existing auth cookies may become invalid after container recreation.
+
+## Telegram requirements
+
+For group usage:
+
+- bot must be a member of the group;
+- for forum groups, bot needs topic management rights;
+- for deleting source command messages or forum topics, bot needs sufficient admin permissions;
+- for Telegram Login Widget, configure the web domain in `@BotFather`.
+
+## Migration behavior
+
+The bot applies DbUp migrations on startup before processing Telegram updates. Because migrations are embedded resources in `GmRelay.Bot`, image upgrades can include schema changes.
+
+Operationally, check bot logs after an upgrade to verify migration success.
+
+## Security notes
+
+- Startup logging uses `SecretRedactor` for PostgreSQL connection strings in bot startup logs.
+- Web cookies are `HttpOnly`, `SecurePolicy.Always`, `SameSite.Strict`, with 7-day sliding expiration.
+- Web responses add `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, and `Permissions-Policy` headers.
+- Access control for group/session data is enforced by Telegram ID comparison with `game_groups.gm_telegram_id`.
+
+## Upgrade checklist
+
+1. Update image tags in `compose.yaml`.
+2. Confirm `.env` still has required variables.
+3. Run `docker compose pull` if images are available remotely.
+4. Run `docker compose up -d`.
+5. Check `docker compose logs -f bot` for migrations and Telegram startup.
+6. Check web login and one read-only group/session page before using edits.
\ No newline at end of file