OBZ
Obizworks Service PortalPayroll · Benefits · Appraisals
Payroll & Service Portal

Payroll, benefits, and appraisals in one portal.

Your payroll system of record — with health, fuel, PTO, provident fund, and appraisals in a single governed portal, audit-trailed and self-service for every employee.

Request a demoSee what it does

Payroll as the system of record — with everything that feeds it.

HSI-MIS runs payroll as the single source of truth, with Appraisal, Health, Fuel, PTO, and Provident Fund managed alongside it. It's offered to clients as an Obizworks Service Portal — your own governed payroll-and-benefits portal.

System of record

One authoritative payroll source

Benefits, appraisals, and leave all reconcile back to one governed payroll record — not scattered spreadsheets.

All-in-one

Benefits + appraisals together

Payroll plus health, fuel, PTO, provident fund, and appraisals in a single self-service portal for every employee.

Governed

Audit-trailed, controlled changes

Changes are controlled and recorded — you can show what changed, when, and by whom. Governance applied to payroll.

The Obizworks hallmark — every portal in the estate runs on the same governed platform.

Safe agent development & hosting

How your agent is kept safe

When Obizworks develops or hosts an AI agent for you, it doesn't run loose. It runs inside a layered environment — every layer a control the system enforces, not a policy you have to trust.

Layered containment environment for a client agent Concentric layers around the client's agent: Constitution, identity and capability contract, budget cap and egress allowlist, append-only audit trail, with human override able to reach in at any layer. 1 · CONSTITUTION Ratified rules every agent loads on every run. Bedrock rules cannot be overridden — by any contract or person. 2 · IDENTITY & CAPABILITY CONTRACT A named agent that may do only what its signed contract declares — nothing more. 3 · BUDGET CAP & EGRESS ALLOWLIST A hard spend ceiling, and a list of the only endpoints it is allowed to reach. 4 · APPEND-ONLY AUDIT TRAIL Every action recorded — never edited, never deleted. The answer to "what happened?" YOUR AGENT does the work — inside all of it HUMAN OVERRIDE a person can pause or stop it at any time
1Constitution. The rulebook your agent is born into. Bedrock rules can't be weakened — not by a client contract, not by us.
2Identity & capability contract. A known, named agent, allowed to do exactly what its contract declares.
3Budget cap & egress allowlist. A hard ceiling on spend, and a fixed list of where it's allowed to connect.
4Append-only audit trail. Everything it does, written down permanently — so any action can be explained, later, to anyone.

Every layer is enforced by the substrate itself. Exceed a budget, reach an endpoint that wasn't granted, act outside the contract — the system stops it, and the attempt is in the audit trail. That's governance that holds, not governance you point to.

Technical infrastructure

Governance is only as solid as what it runs on.

The whole platform runs on a hardened Microsoft Azure virtual machine in West Europe — chosen for data residency, built-in security tooling, and a clean vertical scaling path. Every component below is a named, monitored part of the stack.

Obizworks technology infrastructure stack Public traffic enters through Cloudflare, then a hardened Microsoft Azure D2s_v3 virtual machine in West Europe running Caddy, the governance API, the metering proxy, the governance MCP, PgBouncer and PostgreSQL 16 with pgvector. Backups are GPG-encrypted to Azure Blob Storage and logs stream to Azure Monitor. FROM THE PUBLIC INTERNET CLOUDFLARE WAF · CDN · DDoS shield · TLS at the edge MICROSOFT AZURE VM Standard D2s_v3 · 2 vCPU / 8 GiB RAM · West Europe · Trusted Launch (Secure Boot + vTPM) obz-caddy reverse proxy · Let's Encrypt TLS · /v1/* + /governance/* routing governance-api Constitution · contracts · records :8000 · FastAPI obz-llm-proxy per-agent metering · budget caps · egress :8002 · Anthropic-compatible governance-mcp agent tool surface MCP server PgBouncer connection pooler — apps never hit the database directly PostgreSQL 16 + pgvector obz_audit · obz_workflow · obz_context — append-only audit substrate Azure Monitor Log Analytics syslog + alert rules obz-backup daily 17:00 UTC GPG-encrypted Azure Blob Storage off-VM · GPG-encrypted · tested restores
Standard D2s_v3 · 2 vCPU / 8 GiB West Europe region Trusted Launch · Secure Boot + vTPM Premium SSD · daily encrypted backups

Cloudflare absorbs hostile traffic at the edge; Caddy terminates TLS and routes only known paths; the governed app containers never touch the database directly — they go through PgBouncer into PostgreSQL 16 with pgvector. Backups leave the VM nightly, GPG-encrypted, to Azure Blob Storage, and the whole machine streams its logs to Azure Monitor. Scaling up is a VM-size change, not a re-architecture.

Common questions

What is a payroll “system of record”?
It's the single authoritative source for payroll data that everything else reconciles to. Benefits, appraisals, and leave all tie back to one governed, audit-trailed source.
Can one portal handle payroll, benefits, and appraisals together?
Yes — payroll plus health, fuel, PTO, provident fund, and appraisals in a single self-service portal. Employees get self-service; the business gets one governed record.
What is governed payroll software with an audit trail?
Payroll where changes are controlled and recorded, so you can show what changed, when, and by whom. That audit trail is the governance hallmark applied to payroll.
Can clients get their own payroll Service Portal?
Yes — HSI-MIS is offered as an Obizworks Service Portal, meaning a client can run their own governed payroll-and-benefits portal.

More on how the whole governed platform works — obizworks.com/answers.

Obizworks Enterprise

AI is acting on your behalf. Who's checking it?

See how it's governed ›
obizworks.com

Part of Obizworks Enterprise

Obizworks builds governed AI that runs your workflows — audited, human-approved, and accountable.