diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 2130585f..370d90e5 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -5,5 +5,19 @@
 ## Related PR/s
 
 ## Checklist
-
 - [ ] I tested and it works
+
+<!--  Extra checks based on use case -->
+
+<!-- New Stack Introduction
+- [ ] The Stack has been included in CI Workflow
+-->
+
+<!-- New Service Introduction
+- [ ] Service has resource limits and reservations
+- [ ] Service has placement constraints or is global
+- [ ] Service is restartable
+  - [ ] The restart is zero-downtime
+- [ ] Service is not bound to one specific node (e.g. via files or volumes)
+- [ ] Relevant OPS E2E Test for this stack were added
+-->
diff --git a/services/traefik/docker-compose.yml.j2 b/services/traefik/docker-compose.yml.j2
index c0b64961..1415674f 100644
--- a/services/traefik/docker-compose.yml.j2
+++ b/services/traefik/docker-compose.yml.j2
@@ -132,7 +132,11 @@ services:
         - traefik.http.middlewares.ops_ratelimit.ratelimit.average=${TRAEFIK_RATELIMIT_AVG}
         - traefik.http.middlewares.ops_ratelimit.ratelimit.burst=${TRAEFIK_RATELIMIT_BURST}
         - traefik.http.middlewares.ops_ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=1
-
+        # Platform user auth: Use this middleware to enforce only authenticated users
+        # https://doc.traefik.io/traefik/middlewares/http/forwardauth
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.address=http://${WEBSERVER_HOST}:${WEBSERVER_PORT}/v0/auth:check
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.trustForwardHeader=true
+        - traefik.http.middlewares.authenticated_platform_user.forwardauth.authResponseHeaders=Set-Cookie,osparc-sc2
     networks:
       public: null
       monitored: null
diff --git a/services/traefik/template.env b/services/traefik/template.env
index 8ab04f20..acde96d1 100644
--- a/services/traefik/template.env
+++ b/services/traefik/template.env
@@ -34,3 +34,6 @@ OPS_TRAEFIK_LOGLEVEL=${OPS_TRAEFIK_LOGLEVEL}
 
 PUBLIC_NETWORK=${PUBLIC_NETWORK}
 MONITORED_NETWORK=${MONITORED_NETWORK}
+
+WEBSERVER_HOST=${WEBSERVER_HOST}
+WEBSERVER_PORT=${WEBSERVER_PORT}
diff --git a/services/vendors/Makefile b/services/vendors/Makefile
new file mode 100644
index 00000000..5643540a
--- /dev/null
+++ b/services/vendors/Makefile
@@ -0,0 +1,35 @@
+.DEFAULT_GOAL := help
+
+# Internal VARIABLES ------------------------------------------------
+# STACK_NAME defaults to name of the current directory. Should not to be changed if you follow GitOps operating procedures.
+STACK_NAME = $(notdir $(shell pwd))
+TEMP_COMPOSE=.stack.${STACK_NAME}.yaml
+REPO_BASE_DIR := $(shell git rev-parse --show-toplevel)
+
+# TARGETS --------------------------------------------------
+include ${REPO_BASE_DIR}/scripts/common.Makefile
+
+.PHONY: up ## Deploys stack
+up: ${TEMP_COMPOSE} .init .env
+	docker stack deploy --with-registry-auth --prune --compose-file $< ${STACK_NAME}
+
+.PHONY: up-dalco ## Deploys stack for Dalco Cluster
+up-dalco: up
+
+.PHONY: up-aws
+up-aws: up
+
+.PHONY: up-master ## Deploys stack on master cluster
+up-master: up
+
+.PHONY: up-public ## Deploys stack on public cluster
+up-public: up
+
+.PHONY: up-local ## Deploys stack on local deployment
+up-local: up
+
+# Helpers -------------------------------------------------
+
+.PHONY: ${TEMP_COMPOSE}
+${TEMP_COMPOSE}: docker-compose.yml .env
+	${REPO_BASE_DIR}/scripts/docker-stack-config.bash -e .env $< > $@
diff --git a/services/vendors/docker-compose.yml b/services/vendors/docker-compose.yml
new file mode 100644
index 00000000..14a21cab
--- /dev/null
+++ b/services/vendors/docker-compose.yml
@@ -0,0 +1,39 @@
+version: "3.7"
+
+services:
+  manual:
+    image: ${VENDOR_MANUAL_IMAGE}
+    init: true
+    hostname: "{{.Node.Hostname}}-{{.Task.Slot}}"
+    deploy:
+      replicas: ${VENDOR_MANUAL_REPLICAS}
+      placement:
+        constraints:
+          - node.labels.simcore==true
+      resources:
+        limits:
+          cpus: "1"
+          memory: 2G
+        reservations:
+          cpus: "0.5"
+          memory: 1G
+      update_config:
+        parallelism: 1
+        order: start-first
+        failure_action: continue
+        delay: 10s
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=${PUBLIC_NETWORK}
+        - traefik.http.services.vendor_manual.loadbalancer.server.port=${VENDOR_MANUAL_PORT}
+        - traefik.http.routers.vendor_manual.entrypoints=https
+        - traefik.http.routers.vendor_manual.tls=true
+        - traefik.http.routers.vendor_manual.rule=Host(`${VENDOR_MANUAL_DOMAIN}`)
+        - traefik.http.routers.vendor_manual.middlewares=ops_gzip@swarm, authenticated_platform_user@swarm
+    networks:
+      - public
+
+networks:
+  public:
+    external: true
+    name: ${PUBLIC_NETWORK}
diff --git a/services/vendors/template.env b/services/vendors/template.env
new file mode 100644
index 00000000..65765548
--- /dev/null
+++ b/services/vendors/template.env
@@ -0,0 +1,5 @@
+VENDOR_MANUAL_IMAGE=${VENDOR_MANUAL_IMAGE}
+VENDOR_MANUAL_REPLICAS=${VENDOR_MANUAL_REPLICAS}
+VENDOR_MANUAL_DOMAIN=${VENDOR_MANUAL_DOMAIN}
+VENDOR_MANUAL_PORT=${VENDOR_MANUAL_PORT}
+PUBLIC_NETWORK=${PUBLIC_NETWORK}