diff --git a/Dockerfile.job b/Dockerfile.job
new file mode 100644
index 0000000..56c9d6b
--- /dev/null
+++ b/Dockerfile.job
@@ -0,0 +1,40 @@
+FROM python:3.11-slim as builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+WORKDIR /app
+COPY requirements/base.txt requirements/base.txt
+COPY requirements/production.txt requirements/production.txt
+
+RUN pip install --no-cache-dir --upgrade pip wheel && \
+    pip install --no-cache-dir -r requirements/production.txt
+
+FROM python:3.11-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --gid 1000 appgroup && \
+    useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser
+
+COPY --from=builder /opt/venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+WORKDIR /app
+COPY --chown=appuser:appgroup . .
+
+RUN mkdir -p /app/logs && chown -R appuser:appgroup /app/logs
+
+USER appuser
+
+HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 \
+    CMD pgrep -f "job_runner" || exit 1
+
+CMD ["python", "scripts/job_runner.py"]
diff --git a/docker-compose.yml b/docker-compose.yml
index acff21d..39e7cf9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -78,6 +78,42 @@ services:
       timeout: 10s
       retries: 3
 
+  zerotier-reconciler:
+    build:
+      context: .
+      dockerfile: Dockerfile.job
+    env_file:
+      - .env
+    environment:
+      - JOB_NAME=zerotier_reconciliation
+      - JOB_INTERVAL_SECONDS=${ZEROTIER_RECONCILE_INTERVAL:-120}
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - authy2-network
+    restart: unless-stopped
+
+  mfa-compliance:
+    build:
+      context: .
+      dockerfile: Dockerfile.job
+    env_file:
+      - .env
+    environment:
+      - JOB_NAME=mfa_compliance
+      - JOB_INTERVAL_SECONDS=${MFA_COMPLIANCE_INTERVAL:-3600}
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - authy2-network
+    restart: unless-stopped
+
 networks:
   authy2-network:
     driver: bridge