Enterprise-grade security

Built for buyers who
need to trust first

M360 runs on Google Cloud with per-tenant data isolation, RBAC, and compliance-safe outreach for banking and healthcare. Here's everything your security team needs to know.

FDCPA-safe
Banking & collections
HIPAA-safe
Healthcare outreach
Encrypted
At rest & in transit
Google Cloud
Cloud Run + Firestore

Infrastructure

M360 is deployed entirely on Google Cloud. The application tier runs on Cloud Run — a fully managed, serverless container platform with automatic scaling and no persistent server-side state. Data is stored in Firestore, Google's globally replicated NoSQL database.

Cloud Run
Serverless containers, auto-scaled, zero persistent attack surface
Firestore
Globally replicated, per-collection security rules, no SQL injection surface
Global CDN
Firebase Hosting with edge caching and DDoS mitigation

Data isolation

Every client is an isolated tenant. Data is namespaced in Firestore by tenant ID — no query can cross tenant boundaries by design. Firestore security rules enforce this at the database layer, not just in application code.

  • Per-tenant Firestore namespacing — cross-tenant reads are structurally impossible
  • RBAC scoping enforced at the Firestore rule level, not just in the UI
  • Reseller operators are scoped to their assigned tenants only

Authentication & access control

All authentication is handled by Firebase Auth (Google Identity Platform). Sessions use short-lived JWT tokens. Role enforcement happens server-side — the platform does not trust client-supplied role claims.

Role hierarchy
mc_admin MineCore staff
mc_operator Client admins
mc_reseller_operator Reseller scoped
user Agents
Auth features
  • Invitation-only registration (no open sign-up)
  • Short-lived JWT with automatic refresh
  • Server-side role verification on every request
  • Immediate session revocation on role change

Regulatory compliance

M360's outreach framework is designed around the consent and frequency rules that matter most to regulated industries. The platform tracks every communication channel per customer, enforcing opt-out and contact restriction rules automatically.

FDCPA (Banking)
Cease-communication tracking. Contact time-of-day restrictions. Dispute flag stops outreach.
HIPAA-safe (Healthcare)
Consent gating before outreach. No PHI in SMS bodies. Audit log of every contact.
Consent management
Per-channel opt-out stored on account. Opt-out honored across all agents and cadences.

Encryption

At rest

All Firestore data is encrypted at rest using AES-256, managed by Google Cloud's default encryption. No additional configuration required.

In transit

All traffic between the browser, Cloud Run, and Firestore uses TLS 1.2+. HTTPS is enforced — HTTP requests are redirected automatically.

Audit logs

Every write action in M360 is logged with a timestamp, user ID, tenant ID, and action type. Logs are stored in Firestore and cannot be modified or deleted by operators or agents.

// Sample audit log entry
"action": "disposition_set",
"user": "agent@client.com",
"tenant": "client-abc",
"account": "ACC-00124",
"disposition": "PTP",
"timestamp": "2026-05-11T14:32:07Z"

Uptime & reliability

Cloud Run auto-scales from zero to hundreds of instances in seconds. There is no single point of failure — each request is served by a stateless container. Firestore provides multi-region replication automatically.

99.9%
Google Cloud SLA
Auto
Scale-to-zero + burst
Multi-region
Firestore replication

Questions for your security team?

We're happy to walk through architecture, data flows, and compliance specifics on a call. Bring your InfoSec team.

Schedule a Security Review Call