diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh
index 1f9175579..411ba97d5 100755
--- a/bin/helm-operations.sh
+++ b/bin/helm-operations.sh
@@ -8,9 +8,9 @@ TARGET_SYSTEM="example.dev"
 CERT_MASTER_EMAIL="certmaster@${TARGET_SYSTEM}"
 
 # this IP should match the DNS A record value for TARGET_SYSTEM
-# assuming it to be the public address used by clients to reach public Address 
+# assuming it to be the public address used by clients to reach public Address
 HOST_IP=""
-if [ -z "$HOST_IP" ]; then 
+if [ -z "$HOST_IP" ]; then
 HOST_IP=$(wget -qO- https://api.ipify.org)
 fi
 
@@ -146,7 +146,9 @@ deploy_charts() {
           "wire-postgresql-external-secret" \
           "password" \
           "$BASE_DIR/values/wire-server/secrets.yaml" \
-          .brig.secrets.pgPassword .galley.secrets.pgPassword .background-worker.secrets.pgPassword
+          .brig.secrets.pgPassword \
+          .galley.secrets.pgPassword \
+          .background-worker.secrets.pgPassword
       else
         echo "⚠️  Warning: PostgreSQL secret 'wire-postgresql-external-secret' not found, skipping secret sync"
         echo "    Make sure databases-ephemeral chart is deployed before wire-server"
diff --git a/changelog.d/3-deploy-builds/wire-server-5.27 b/changelog.d/3-deploy-builds/wire-server-5.27
new file mode 100644
index 000000000..eef103064
--- /dev/null
+++ b/changelog.d/3-deploy-builds/wire-server-5.27
@@ -0,0 +1 @@
+Added: update prod and demo example values/secrets for wire-server 5.27, aligning PostgreSQL config, postgresMigration (conversation, teamFeatures), rabbitmq, and mlsPrivateKeys across all services
diff --git a/offline/tasks/proc_pull_charts.sh b/offline/tasks/proc_pull_charts.sh
index c069320c2..204bcd589 100755
--- a/offline/tasks/proc_pull_charts.sh
+++ b/offline/tasks/proc_pull_charts.sh
@@ -94,5 +94,5 @@ pull_charts() {
   #fi
 }
 
-wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/pinned-offline-multi-20260224-142104/build.json"
+wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/ecd204f07540e79fc1febe2483a42111129a5d0d/build.json"
 wire_build_chart_release "$wire_build" | pull_charts
diff --git a/values/wire-server/demo-secrets.example.yaml b/values/wire-server/demo-secrets.example.yaml
index 7bc5ecad3..3a572f08c 100644
--- a/values/wire-server/demo-secrets.example.yaml
+++ b/values/wire-server/demo-secrets.example.yaml
@@ -61,6 +61,20 @@ galley:
     rabbitmq:
       username: wire-server
       password: verysecurepassword
+    #mlsPrivateKeys:
+    #  removal:
+    #    ed25519: |
+    #      -----BEGIN PRIVATE KEY-----
+    #      -----END PRIVATE KEY-----
+    #    ecdsa_secp256r1_sha256: |
+    #      -----BEGIN PRIVATE KEY-----
+    #      -----END PRIVATE KEY-----
+    #    ecdsa_secp384r1_sha384: |
+    #      -----BEGIN PRIVATE KEY-----
+    #      -----END PRIVATE KEY-----
+    #    ecdsa_secp521r1_sha512: |
+    #      -----BEGIN PRIVATE KEY-----
+    #      -----END PRIVATE KEY-----
 
 gundeck:
   secrets:
@@ -96,6 +110,7 @@ nginz:
 # RabbitMQ credentials for background-worker.
 background-worker:
   secrets:
+    pgPassword: dummyPassword # gets replaced by the actual secret
     rabbitmq:
       username: wire-server
       password: verysecurepassword
diff --git a/values/wire-server/demo-values.example.yaml b/values/wire-server/demo-values.example.yaml
index fed128a0a..db7ce569d 100644
--- a/values/wire-server/demo-values.example.yaml
+++ b/values/wire-server/demo-values.example.yaml
@@ -127,7 +127,9 @@ cannon:
   # For demo mode only, we don't need to keep websocket connections open on chart upgrades
   drainTimeout: 10
   config:
-    cassandra: 
+    rabbitmq:
+      host: rabbitmq
+    cassandra:
       host: cassandra-ephemeral
   metrics:
     serviceMonitor:
@@ -170,6 +172,9 @@ galley:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    postgresMigration:
+      conversation: cassandra
+      teamFeatures: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
@@ -199,6 +204,8 @@ gundeck:
 #  image:
 #    tag: some-tag (only override if you want a newer/different version than what is in the chart)
   config:
+    rabbitmq:
+      host: rabbitmq
     cassandra:
       host: cassandra-ephemeral
     aws:
@@ -292,8 +299,24 @@ spar:
 
 background-worker:
   config:
+    federationDomain: example.com
+    rabbitmq:
+      host: rabbitmq
     cassandra:
       host: cassandra-ephemeral
+    cassandraGalley:
+      host: cassandra-ephemeral
+    cassandraBrig:
+      host: cassandra-ephemeral
+    postgresql:
+      host: postgresql # DNS name without protocol
+      port: "5432"
+      user: wire-server
+      dbname: wire-server
+    postgresMigration:
+      conversation: cassandra
+      teamFeatures: cassandra
+    # migrateTeamFeatures: false # Set to true only AFTER setting galley postgresMigration.teamFeatures to migration-to-postgresql
     # Enable for federation
     enableFederation: false
   metrics:
diff --git a/values/wire-server/prod-values.example.yaml b/values/wire-server/prod-values.example.yaml
index a0e8a2c67..c77923038 100644
--- a/values/wire-server/prod-values.example.yaml
+++ b/values/wire-server/prod-values.example.yaml
@@ -36,6 +36,8 @@ brig:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     useSES: false
     # Set to false if you want to hand out DynamoDB to store prekeys
     randomPrekeys: true
@@ -183,10 +185,14 @@ galley:
       port: "5432"
       user: wire-server
       dbname: wire-server
+    postgresqlPool:
+      size: 10 # adjust pool size as needed based on expected load and available resources
     # Explicitly set postgresMigration to cassandra for fresh deployments.
-    # This controls whether galley reads conversations from Cassandra or PostgreSQL.
+    # This controls whether galley reads conversations/teamFeatures from Cassandra or PostgreSQL.
     postgresMigration:
       conversation: cassandra
+      conversationCodes: cassandra
+      teamFeatures: cassandra
     enableFederation: false # Enable to use federation
     settings:
       # prefix URI used when inviting users to a conversation by link
@@ -366,13 +372,15 @@ background-worker:
       port: "5432"
       user: wire-server
       dbname: wire-server
-    # IMPORTANT: At Chart 5.25.0, the background-worker Helm chart incorrectly defaults
-    # postgresMigration.conversation to "postgresql" instead of "cassandra".
-    # This MUST be explicitly set to "cassandra" unless you have already migrated
-    # conversations to PostgreSQL. Without this override, User Group to Channel sync
-    # jobs will silently skip member synchronization.
+    postgresqlPool:
+      size: 5 # Background worker has fewer connections to DB, so smaller pool size is fine
     postgresMigration:
       conversation: cassandra
+      conversationCodes: cassandra
+      teamFeatures: cassandra
+    migrateConversations: false
+    migrateConversationCodes: false
+    migrateTeamFeatures: false
     # Enable for federation
     enableFederation: false
   metrics: