diff --git a/backend/src/database/database.module.ts b/backend/src/database/database.module.ts
index 95155ee..f53ef56 100644
--- a/backend/src/database/database.module.ts
+++ b/backend/src/database/database.module.ts
@@ -37,12 +37,11 @@ import { Unique } from './validators/unique.validator';
           query_timeout: 30_000,
           statement_timeout: 30_000,
         },
-        // No SSL for local/Docker environments
-        ssl:
-          configService.get('ENVIRONMENT') === 'local' ||
-          configService.get('ENVIRONMENT') === 'development'
-            ? false
-            : { rejectUnauthorized: false },
+        // SSL is only needed for remote/managed PostgreSQL (e.g. AWS RDS).
+        // Self-hosted Docker setups use an internal network — no SSL required.
+        ssl: configService.get('DATABASE_SSL') === 'true'
+          ? { rejectUnauthorized: false }
+          : false,
       }),
     }),
   ],
diff --git a/backend/src/database/ormconfig.ts b/backend/src/database/ormconfig.ts
index 3143f88..fe7c797 100644
--- a/backend/src/database/ormconfig.ts
+++ b/backend/src/database/ormconfig.ts
@@ -18,11 +18,9 @@ export default new DataSource({
   migrations: ['dist/database/migrations/*.{ts,js}'],
   migrationsTableName: 'typeorm_migrations',
   synchronize: false,
-  ssl:
-    configService.get('ENVIRONMENT') === 'local' ||
-    configService.get('ENVIRONMENT') === 'development'
-      ? false
-      : {
-          rejectUnauthorized: false,
-        },
+  // SSL is only needed for remote/managed PostgreSQL (e.g. AWS RDS).
+  // Self-hosted Docker setups use an internal network — no SSL required.
+  ssl: configService.get('DATABASE_SSL') === 'true'
+    ? { rejectUnauthorized: false }
+    : false,
 });