diff --git a/chart/values-sandbox.yaml b/chart/values-sandbox.yaml
index 8e1647f..530b8c3 100644
--- a/chart/values-sandbox.yaml
+++ b/chart/values-sandbox.yaml
@@ -38,3 +38,9 @@ ingress:
       paths:
         - path: /
           pathType: Prefix
+
+# The sandbox is reproducible (iso-prod refresh), so it needs no offsite backup —
+# and its env=sandbox Vault policy wasn't granted read on the GCS creds path
+# (only prod was, tools#5). Keep the CronJob off here.
+backup:
+  enabled: false
diff --git a/chart/values.yaml b/chart/values.yaml
index e0ba995..6a57dbb 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -138,9 +138,11 @@ affinity: {}
 # `auth` Vault role must be granted read on kvv2/<vaultS3Path>). The manual
 # orchestrator ops/backup/dolibarr-backup.sh works today without this.
 backup:
-  enabled: false
+  enabled: true
   schedule: "0 3 * * *"        # daily 03:00 UTC
   bucket: arcodange-backup
   pgHost: "192.168.1.202"      # direct Postgres host (matches ops/sandbox + ops/backup)
   image: postgres:16-alpine
-  vaultS3Path: erp/backup      # kvv2/<this> → AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_ENDPOINTS
+  # Shared GCS HMAC creds; the erp prod Vault policy was granted read on this path
+  # (tools#5: kv_read_paths). VSO reads kvv2/data/longhorn/gcs-backup.
+  vaultS3Path: longhorn/gcs-backup