diff --git a/data/lib/systemd/revpipyload.service b/data/lib/systemd/revpipyload.service
index 1883512..460d84c 100644
--- a/data/lib/systemd/revpipyload.service
+++ b/data/lib/systemd/revpipyload.service
@@ -9,5 +9,17 @@ PIDFile=/var/run/revpipyload.pid
 ExecStart=/usr/share/revpipyload/revpipyloadd -d $DAEMON_OPTS
 ExecReload=/bin/kill -HUP $MAINPID
 
+# systemd sandboxing process
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+# Allow write operations to the following destinations
+ReadWritePaths=/dev/piControl0 /etc/revpipyload/ /etc/revpi/config.rsc /home/ /var/lib/revpipyload/ /var/log/ /var/run/revpipyload.pid
+
+# Restrict file system access to the following directories
+InaccessiblePaths=/boot /root
+
 [Install]
 WantedBy=multi-user.target