Three Custody Modes. Your Keys, Your Rules.
Choose the custody model that matches your organization's security posture and operational requirements. Switch modes as your needs evolve - your assets, your policies, and your audit history carry over seamlessly.
Choose the model that fits your operational requirements
Each mode provides the same policy evaluation, audit trails, and compliance tooling. The difference is where key shares are held and who participates in signing.
Self-Custody
Your organization holds all key shares. No third party - including JIL - can sign transactions on your behalf. Compatible with hardware wallets and air-gapped signing devices.
Split-Key (2-of-3 MPC)
Private keys are split into three shares distributed across your organization, the JIL platform, and an independent escrow agent. Any two of three shares are required to sign. No single party can act alone.
Delegated
JIL manages the signing process on your behalf, subject to your policy rules and approval workflows. Lowest operational overhead while maintaining full asset segregation and audit trails.
Four-step key ceremony process
Every MPC deployment begins with a structured key ceremony. This process generates, distributes, verifies, and activates key shares in a way that produces cryptographic proof of correct setup.
Generate
Cryptographic key material is generated in a secure, isolated environment using a hardware random number generator. The generation process produces verifiable entropy proofs.
Distribute
Key shares are encrypted and distributed to designated share holders - your organization, the JIL platform, and the independent escrow agent. Each share is transmitted through a separate secure channel.
Verify
Each share holder independently verifies their key share using zero-knowledge proofs. Verification confirms that shares are valid and that the threshold scheme is correctly configured without revealing any key material.
Activate
Once all parties confirm successful verification, the key is activated for signing operations. A ceremony receipt containing all proofs and attestations is generated for your records.
How key shards work together
Multi-party computation allows multiple parties to jointly compute a signature without any single party ever reconstructing the full private key. The key never exists in one place.
Client shard
Held by your organization. Stored in your HSM or hardware wallet.
Platform shard
Held by JIL. Stored in a FIPS 140-2 Level 3 certified HSM.
Escrow shard
Held by independent escrow agent. Accessible only during recovery.
Any combination of two share holders can produce a valid signature. The full private key is never reconstructed - computation happens across the distributed shares using secure multi-party protocols.
Transaction initiated
A user submits a transaction request. The request passes through policy checks and approval workflows before reaching the signing layer.
Distributed computation
Each participating share holder contributes their partial signature using their key shard. Computation happens locally - shards are never transmitted.
Signature assembled
Partial signatures are combined into a single valid transaction signature. The transaction is broadcast to the network with a full audit receipt.
JIL is a software platform, not a custodian
Your keys remain under your control. JIL provides the infrastructure - policy evaluation and attestation, audit trails, compliance tooling, and operational dashboards - but does not take custody of your assets. This structural distinction has significant legal and regulatory implications.
Traditional custodian model
Your assets sit on the custodian's balance sheet. You depend on the custodian's solvency, security practices, and regulatory compliance. Counterparty risk is structural.
JIL platform model
Your assets remain under your cryptographic control. JIL provides operational infrastructure but never holds, controls, or has unilateral access to your funds. Zero counterparty risk.