diff --git a/bbmri/modules/eric-setup.sh b/bbmri/modules/eric-setup.sh
index d2f36bb..fd44e73 100644
--- a/bbmri/modules/eric-setup.sh
+++ b/bbmri/modules/eric-setup.sh
@@ -10,6 +10,10 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
+		"acceptance")
+			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
+			export ERIC_ROOT_CERT=eric.acc
+			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test
diff --git a/bbmri/modules/eric.acc.root.crt.pem b/bbmri/modules/eric.acc.root.crt.pem
new file mode 100644
index 0000000..d11033c
--- /dev/null
+++ b/bbmri/modules/eric.acc.root.crt.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUE/wu6FmI+KSMOalI65b+lI3HI4cwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwOTE2MTUyMzU0WhcNMzQw
+OTE0MTUyNDI0WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOt1I1FQt2bI4Nnjtg8JBYid29cBIkDT4MMb45Jr
+ays24y4R3WO7VJK9UjNduSq/A1jlA0W0A/szDf8Ojq6bBtg+uL92PTDjYH1QXwX0
+c7eMo2tvvyyrs/cb2/ovDBQ1lpibcxVmVAv042ASmil3SdqKKXpv3ATnF9I7V4cv
+fwB56FChaGIov5EK+9JOMjTx6oMlBEgUFR6qq/lSqM9my0HYwUFbX2W+nT9EKEIP
+9UP1eyfRZR3E/+oticnm/cS20BGCbjoYrNgLthXKyaASuhGoElKs8EZ3h9MiI+u0
+DpR0KpePhAkMLugBrgYWqkMwwD1684LfC4YVQrsLwzo5OW8CAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPbXs3g3lMjH
+1JMe0a5aVbN7lB92MB8GA1UdIwQYMBaAFPbXs3g3lMjH1JMe0a5aVbN7lB92MBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBM5RsXb2HN
+FpC1mYfocXAn20Zu4d603qmc/IqkiOWbp36pWo+jk1AxejyRS9hEpQalgSnvcRPQ
+1hPEhGU+wvI0WWVi/01iNjVbXmJNPQEouXQWAT17dyp9vqQkPw8LNzpSV/qdPgbT
+Z9o3sZrjUsSLsK7A7Q5ky4ePkiJBaMsHeAD+wqGwpiJ4D2Xhp8e1v36TWM0qt2EA
+gySx9isx/jeGGPBmDqYB9BCal5lrihPN56jd+5pCkyXeZqKWiiXFJKXwcwxctYZc
+ADHIiTLLPXE8LHTUJAO51it1NAZ1S24aMzax4eWDXcWO7/ybbx5pkYkMd6EqlKHd
+8riQJIhY4huX
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/bridgehead b/bridgehead
index cbe7527..395504a 100755
--- a/bridgehead
+++ b/bridgehead
@@ -69,7 +69,7 @@ loadVars() {
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
-			ENVIRONMENT="test"
+			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
 		fi
 	fi
 	# Source the versions of the images components 
@@ -80,6 +80,9 @@ loadVars() {
 		"test")
 			source ./versions/test
 			;;
+		"acceptance")
+			source ./versions/acceptance
+			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
diff --git a/lib/functions.sh b/lib/functions.sh
index a11920b..680032c 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -347,18 +347,21 @@ function secret_sync_gitlab_token() {
         root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
     fi
 
-    # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+    # Create a temporary directory for Secret Sync that is valid per boot
+    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
+    mkdir -p $secret_sync_tempdir
+
+    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
     # If it is missing or expired, Secret Sync will create a new token and write it to the file.
     # The git credential helper reads the token from the file during git pull.
-    mkdir -p /var/cache/bridgehead/secrets
-    touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
     log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
     docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
     docker run --rm \
-        -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
         -v $root_crt_file:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+        -v $secret_sync_tempdir:/secret-sync/ \
+        -e CACHE_PATH=/secret-sync/gitlab-token \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
         -e NO_PROXY=localhost,127.0.0.1 \
         -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
diff --git a/lib/gitlab-token-helper.sh b/lib/gitlab-token-helper.sh
index e618029..1aa7a62 100755
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@@ -2,7 +2,7 @@
 
 [ "$1" = "get" ] || exit
 
-source /var/cache/bridgehead/secrets/gitlab_token
+source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
 
 # Any non-empty username works, only the token matters
 cat << EOF
diff --git a/modules/ssh-tunnel-setup.sh b/modules/ssh-tunnel-setup.sh
index eb49f1c..4ecf5a3 100644
--- a/modules/ssh-tunnel-setup.sh
+++ b/modules/ssh-tunnel-setup.sh
@@ -2,5 +2,5 @@
 
 if [ -n "$ENABLE_SSH_TUNNEL" ]; then
 	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
-	OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
+	OVERRIDE+=" -f ./modules/ssh-tunnel-compose.yml"
 fi
diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml
index 81ef952..e7e0eea 100644
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@@ -22,6 +22,7 @@ services:
       - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
       - RUST_LOG=${RUST_LOG:-info}
       - TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs
+      - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
     volumes:
       - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
diff --git a/versions/acceptance b/versions/acceptance
new file mode 100644
index 0000000..7d66e03
--- /dev/null
+++ b/versions/acceptance
@@ -0,0 +1,3 @@
+FOCUS_TAG=develop
+BEAM_TAG=develop
+BLAZE_TAG=main
\ No newline at end of file