diff --git a/abra.sh b/abra.sh
index be1f878..b7f4df6 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,4 +1,4 @@
-export APP_ENTRYPOINT_VERSION=v3
+export APP_ENTRYPOINT_VERSION=v4
 APP_DIR="app:/data"
 
 insert_vaultwarden_admin_token() {
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 2be7858..a8335d2 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 set -e
+umask 027
 
 # set DATABASE_URL with db_password
 set_db_url() {
@@ -48,6 +49,9 @@ fi
 file_env "ADMIN_TOKEN"
 file_env "SMTP_PASSWORD"
 
+# remove world permissions on data
+chmod -R o= /data
+
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
 /start.sh