Security
Where your capital sits.
Client capital is held separately from the firm’s own books. Trading risk is capped by rule. Client data is held under UK data-protection rules.
Custody
How client capital is held.
Segregated client accounts.
Client capital is held in segregated accounts at independent brokers, separate from Jones Croft’s own books. The firm does not commingle client capital with operational funds at any point.
Trading authority only.
Jones Croft holds trading authority over client accounts — the ability to place and close positions within the mandate rules. The firm cannot withdraw client capital. All withdrawals require explicit client authorisation through the dashboard.
Daily reconciliation.
Broker statements are reconciled daily against the firm’s internal records. Any discrepancy is flagged and resolved before the following session begins.
Independent audit.
Custodial arrangements and fund accounting are reviewed by independent auditors on a regular cycle.
Trading risk
Capped by rule, not by intention.
Risk controls are encoded in the execution system and enforced automatically. The ability to override them intraday does not exist.
- Per-trade risk
- Fixed fraction of portfolio capital; identical for every position
- Portfolio exposure cap
- Maximum aggregate exposure across all open positions
- Daily drawdown limit
- Automatic trading halt if the portfolio falls by a defined percentage in a single day
- Stop-losses
- Predetermined exit set before each position opens; enforced by the execution system
- Correlation screening
- Exposure across correlated instruments aggregated against portfolio limits
Data protection
How client data is held.
UK GDPR and Data Protection Act 2018.
Personal data is collected, stored, and processed in accordance with UK data-protection law. Data is stored in UK or European data centres only.
Minimum data, held briefly.
The firm collects only the information required to open and administer an account. Records are retained for the period required by law, then securely destroyed.
Encryption in transit and at rest.
All data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256. Access to the production database is limited to named individuals and fully logged.
Multi-factor authentication.
Dashboard access requires a second factor on every sign-in from a new device. Sessions are short-lived and re-verified for any sensitive action.
Right of access and erasure.
Clients may request access to, correction of, or erasure of their personal data at any time via dpo@jonescroft.com. Requests are processed within one calendar month.
Operational
Day-to-day controls.
- KYC and AML
- Identity and source-of-funds verification on every application
- Sanctions screening
- Ongoing screening of client accounts against UK sanctions lists
- Audit trail
- Every trade, every sign-in, every data change is logged and retained
- Redundant infrastructure
- Primary and standby systems with automatic failover
- Incident response
- Defined procedures for system outages or suspected compromise, with prompt client notification
Questions
On security, the best person to ask is Felix.
The firm is small enough that the person responsible for the security posture is also the person answering questions about it. Contact details below.
security@jonescroft.com