diff --git a/charts/app/templates/secret.yaml b/charts/app/templates/secret.yaml
index 40f81b347..b51f12ac8 100644
--- a/charts/app/templates/secret.yaml
+++ b/charts/app/templates/secret.yaml
@@ -1,46 +1,46 @@
-{{- if and .Values.global.secrets .Values.global.secrets.enabled}}
-{{- $databaseUser := .Values.global.secrets.databaseUser| default "postgres"  }}
+{{- if and .Values.global.secrets .Values.global.secrets.enabled }}
+{{- $databaseUser := .Values.global.secrets.databaseUser | default "postgres" }}
 {{- $databasePassword := .Values.global.secrets.databasePassword | default (randAlphaNum 10) }}
 {{- $caseManagementApiKey := .Values.global.secrets.caseManagementApiKey | default (randAlphaNum 10) }}
-{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace  "nr-compliance-enforcement" ) | default dict }}
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nr-compliance-enforcement") | default dict }}
 {{- $secretData := (get $secretObj "data") | default dict }}
-  # set below to existing secret data or generate a random one when not exists
-{{- $databasePassword = (get $secretData "databasePassword") | default ($databasePassword | b64enc) }}
-{{- $databaseName := .Values.global.secrets.databaseName| default "postgres" }}
+
+# Set databasePassword to existing secret data or generate a random one when not exists
+{{- $databasePassword = (get $secretData "databasePassword" | default ($databasePassword | b64enc)) }}
+{{- $databaseName := .Values.global.secrets.databaseName | default "postgres" }}
 {{- $host := printf "%s-%s:5432" .Release.Name .Values.global.databaseAlias }}
 {{- $hostWithoutPort := printf "%s-%s" .Release.Name .Values.global.databaseAlias }}
 {{- $databaseURL := printf "postgresql://%s:%s@%s/%s" $databaseUser (b64dec $databasePassword) $host $databaseName }}
 {{- $databaseJDBCURL := printf "jdbc:postgresql://%s:%s@%s/%s" $databaseUser (b64dec $databasePassword) $host $databaseName }}
 {{- $databaseJDBCURLNoCreds := printf "jdbc:postgresql://%s/%s" $host $databaseName }}
 
-
-{{- $bcGeocoderApiClientId = (get $secretData "bcGeocoderApiClientId") }}
-{{- $bcGeocoderApiKey = (get $secretData "bcGeocoderApiKey") }}
-{{- $bcGeocoderApiUrl = (get $secretData "bcGeocoderApiUrl") }}
-{{- $comsJwtAuthUri = (get $secretData "comsJwtAuthUri") }}
-{{- $cdogsUri = (get $secretData "cdogsUri") }}
-{{- $cdogsClientId = (get $secretData "cdogsClientId") }}
-{{- $cdogsClientSecret = (get $secretData "cdogsClientSecret") }}
-{{- $webeocUsername = (get $secretData "webeocUsername") }}
-{{- $webeocPassword = (get $secretData "webeocPassword") }}
-{{- $webeocPosition = (get $secretData "webeocPosition") }}
-{{- $webeocIncident = (get $secretData "webeocIncident") }}
-{{- $webeocUrl = (get $secretData "webeocUrl") }}
-{{- $webeocComplaintHistorySeconds = (get $secretData "webeocComplaintHistorySeconds") }}
-{{- $webeocCronExpression = (get $secretData "webeocCronExpression") }}
-{{- $natsHost = (get $secretData "natsHost") }}
-{{- $backupDir = (get $secretData "backupDir") }}
-{{- $backupStrategy = (get $secretData "backupStrategy") }}
-{{- $numBackups = (get $secretData "numBackups") }}
-{{- $dailyBackups = (get $secretData "dailyBackups") }}
-{{- $weeklyBackups = (get $secretData "weeklyBackups") }}
-{{- $monthlyBackups = (get $secretData "monthlyBackups") }}
-{{- $databaseServiceName = (get $secretData "databaseServiceName") }}
-{{- $objectstoreAccessKey = (get $secretData "objectstoreAccessKey") }}
-{{- $objectstoreUrl = (get $secretData "objectstoreUrl") }}
-{{- $objectstoreBackupDirectory = (get $secretData "objectstoreBackupDirectory") }}
-{{- $objectstoreBucket = (get $secretData "objectstoreBucket") }}
-{{- $objectstoreSecretKey = (get $secretData "objectstoreSecretKey") }}
+{{- $bcGeocoderApiClientId := (get $secretData "bcGeocoderApiClientId" | b64dec | default (randAlphaNum 10)) }}
+{{- $bcGeocoderApiKey := (get $secretData "bcGeocoderApiKey" | b64dec | default (randAlphaNum 10)) }}
+{{- $bcGeocoderApiUrl := (get $secretData "bcGeocoderApiUrl" | b64dec | default "") }}
+{{- $comsJwtAuthUri := (get $secretData "comsJwtAuthUri" | b64dec | default "") }}
+{{- $cdogsUri := (get $secretData "cdogsUri" | b64dec | default "") }}
+{{- $cdogsClientId := (get $secretData "cdogsClientId" | b64dec | default "") }}
+{{- $cdogsClientSecret := (get $secretData "cdogsClientSecret" | b64dec | default "") }}
+{{- $webeocUsername := (get $secretData "webeocUsername" | b64dec | default "") }}
+{{- $webeocPassword := (get $secretData "webeocPassword" | b64dec | default "") }}
+{{- $webeocPosition := (get $secretData "webeocPosition" | b64dec | default "") }}
+{{- $webeocIncident := (get $secretData "webeocIncident" | b64dec | default "") }}
+{{- $webeocUrl := (get $secretData "webeocUrl" | b64dec | default "") }}
+{{- $webeocComplaintHistorySeconds := (get $secretData "webeocComplaintHistorySeconds" | b64dec | default "") }}
+{{- $webeocCronExpression := (get $secretData "webeocCronExpression" | b64dec | default "") }}
+{{- $natsHost := (get $secretData "natsHost" | b64dec | default "") }}
+{{- $backupDir := (get $secretData "backupDir" | b64dec | default "") }}
+{{- $backupStrategy := (get $secretData "backupStrategy" | b64dec | default "") }}
+{{- $numBackups := (get $secretData "numBackups" | b64dec | default "") }}
+{{- $dailyBackups := (get $secretData "dailyBackups" | b64dec | default "") }}
+{{- $weeklyBackups := (get $secretData "weeklyBackups" | b64dec | default "") }}
+{{- $monthlyBackups := (get $secretData "monthlyBackups" | b64dec | default "") }}
+{{- $databaseServiceName := (get $secretData "databaseServiceName" | b64dec | default "") }}
+{{- $objectstoreAccessKey := (get $secretData "objectstoreAccessKey" | b64dec | default "") }}
+{{- $objectstoreUrl := (get $secretData "objectstoreUrl" | b64dec | default "") }}
+{{- $objectstoreBackupDirectory := (get $secretData "objectstoreBackupDirectory" | b64dec | default "") }}
+{{- $objectstoreBucket := (get $secretData "objectstoreBucket" | b64dec | default "") }}
+{{- $objectstoreSecretKey := (get $secretData "objectstoreSecretKey" | b64dec | default "") }}
 
 {{- $jwksUri := printf "%s-%s:5432" .Release.Name .Values.global.jwksUri }}
 {{- $jwtIssuer := printf "%s-%s:5432" .Release.Name .Values.global.jwtIssuer }}
@@ -77,15 +77,6 @@ data:
   CDOGS_URI: {{ $cdogsUri | b64enc | quote }}
   CDOGS_CLIENT_ID: {{ $cdogsClientId | b64enc | quote }}
   CDOGS_CLIENT_SECRET: {{ $cdogsClientSecret | b64enc | quote }}
-  # WEBEOC Secrets
-  WEBEOC_USERNAME: {{ $webeocUsername | b64enc | quote }}
-  WEBEOC_PASSWORD: {{ $webeocPassword | b64enc | quote }}
-  WEBEOC_POSITION: {{ $webeocPosition | b64enc | quote }}
-  WEBEOC_INCIDENT: {{ $webeocIncident | b64enc | quote }}
-  WEBEOC_URL: {{ $webeocUrl | b64enc | quote }}
-  WEBEOC_COMPLAINT_HISTORY_SECONDS: {{ $webeocComplaintHistorySeconds | b64enc | quote }}
-  WEBEOC_CRON_EXPRESSION: {{ $webeocCronExpression | b64enc | quote }}
-  NATS_HOST: {{ $natsHost | b64enc | quote }}
   # BACKUP Secrets
   BACKUP_DIR: {{ $backupDir | b64enc | quote }}
   BACKUP_STRATEGY: {{ $backupStrategy | b64enc | quote }}
@@ -102,6 +93,26 @@ data:
 ---
 apiVersion: v1
 kind: Secret
+metadata:
+  name: {{ .Release.Name }}-webeoc
+  labels: {{- include "labels" . | nindent 4 }}
+  {{- if .Values.global.secrets.persist }}
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- end }}
+data:
+  # WEBEOC Secrets
+  WEBEOC_USERNAME: {{ $webeocUsername | b64enc | quote }}
+  WEBEOC_PASSWORD: {{ $webeocPassword | b64enc | quote }}
+  WEBEOC_POSITION: {{ $webeocPosition | b64enc | quote }}
+  WEBEOC_INCIDENT: {{ $webeocIncident | b64enc | quote }}
+  WEBEOC_URL: {{ $webeocUrl | b64enc | quote }}
+  WEBEOC_COMPLAINT_HISTORY_SECONDS: {{ $webeocComplaintHistorySeconds | b64enc | quote }}
+  WEBEOC_CRON_EXPRESSION: {{ $webeocCronExpression | b64enc | quote }}
+  NATS_HOST: {{ $natsHost | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ .Release.Name }}-flyway
   labels: {{- include "labels" . | nindent 4 }}