Arbor - The Complete HR + Payroll Suite
The HR + Payroll platform your whole team actually uses.
40+ modules, AI-ready, built in Laravel — deploy the whole BambooHR / Gusto feature set on any shared host in 10 minutes. One purchase. Unlimited employees. Full source.
HR software your clients can actually afford.
Your clients' HR stack shouldn't cost $10/user/month forever. Arbor ships the full HR + Payroll feature set as a single Laravel app — install it on their existing shared host, charge once, own the data. Built for dev agencies, in-house IT teams, and founders who want a complete people platform without the SaaS tax.
For agencies
White-label a polished HR platform for your SMB clients. Unlimited installs (with the extended license). Customize freely — it's clean Laravel.
For in-house IT
Replace a $500/mo SaaS bill with a one-time purchase. Host on your own VPS or shared plan. Own every employee's record.
For founders
Get the polish of BambooHR at a fraction of the cost. Walk through the web installer, invite your team, done in an hour.
A UI that doesn't feel like enterprise software.
Dark mode, command palette (⌘K), PWA install, keyboard shortcuts, inline Livewire interactivity — built on Tailwind v4 with the Inter font.
Fourteen reasons Arbor replaces your SaaS stack.
Not a thin wrapper. Each module is production-grade and tested.
Complete HR core
Employees, departments, org chart with zoom/pan, onboarding templates, contractors, multi-company.
Full payroll engine
Monthly runs, progressive tax, PF, insurance, PDF payslips, anomaly detection, mark-as-paid workflow.
Recruiting + ATS
Job openings, Kanban board with drag-drop, AI résumé screening, interview scheduling, offer letters with e-sign.
Time & attendance
Clock in/out, late detection, timesheets per-project, shift scheduler, team calendar with iCal feed.
Leave + accruals
Weekend-aware day counting, manager approval, monthly accrual engine, carry-over rules, holiday calendar.
Benefits administration
Plans, open enrollment windows, coverage levels, dependents, pre-tax deduction tracking.
Performance + OKRs
Review cycles, self/manager/overall ratings, goals with key results, 1:1 meetings with shared agendas.
Surveys + eNPS
Pulse surveys, eNPS, custom questions, anonymous option, AI sentiment analysis with theme extraction.
AI-ready (BYOK)
Plug in OpenAI / Anthropic / Gemini keys. Summarize reviews, screen résumés, answer policy questions, draft replies.
Integrations
Stripe Connect, Slack slash commands, Calendly, Twilio SMS, outbound webhooks + Google / GitHub social login.
Enterprise & compliance
SCIM 2.0 endpoints, scope-aware IP allowlist, configurable rate limits, role delegation with nightly reconcile, SIEM export (NDJSON + CEF), GDPR / DPDP export & deletion.
PWA + offline
Install on home screen, offline clock-in queue (IndexedDB), command palette (⌘K), dark mode, 6 keyboard shortcuts.
6 languages built-in
English, Spanish, French, German, Portuguese, Chinese — fully translated. Locale persists per user; emails render in the user's language.
In-app + email notifications
Bell with unread badge, dropdown, full inbox at /notifications. Leave, payroll, offer, onboarding events fire automatically. Per-user opt-out per event, plus optional Twilio SMS channel.
Modern HR runs on AI. Arbor ships it.
Arbor integrates with OpenAI, Anthropic, and Google Gemini
via prism-php. Keys are encrypted at rest. Admins pick the default provider and model.
When no key is set, features gracefully fall back.
Every module, every feature.
Grouped by functional area. All of this is in the zip.
People Core HR
Directory, hierarchy, lifecycle, and onboarding.
- Employee directory with filter + search, bulk CSV import
- Per-employee detail page with AI job description generator
- Departments with parent/child hierarchy & department head
- Org chart with zoom, pan, click-to-profile
- Onboarding templates (per-role, owner + due-day per task)
- Recruiting pipeline (jobs, candidates, configurable stages, Kanban drag)
- Public careers page at
/careerswith per-job application form - Interview slots with interviewer, scorecard feedback, Calendly auto-create
- Offer letters with merge fields + 14-day signed-URL e-signature
- Contractor profiles (1099 / W-9) with invoice intake + Stripe Connect payout
- Multi-company with scoped employees & payroll runs
- Skills catalog + per-job required skills + gap finder + merge-duplicates
- Custom fields per entity (employee, department, candidate, project, job opening)
Time Attendance + leave
Clock, schedule, request, approve — all on one stack.
- Web clock-in / clock-out with IP + source tracking
- Late + half-day auto-detection, configurable threshold
- Nightly auto-close scheduler for open clock-ins
- Twilio inbound SMS clock-in for deskless workers (opt-in)
- Timesheets per-project, billable toggle, weekly summary
- Shift patterns + weekly scheduler grid, assign per day
- Team calendar (month grid) + iCal feed at
/calendar.ics - Leave types, balances, paid toggle, color
- Weekend-aware day counting; manager approval workflow
- Monthly accrual engine (rules per type, tenure gate, cap, carryover)
- Holiday calendar per country with recurring-date support
Pay & benefits Payroll, expenses, benefits
Monthly payroll runs, expense reimbursements, benefits enrollment.
- Payroll runs with label, period, status (draft / processed / paid)
- Progressive tax bracket engine + PF + insurance auto-calculation
- Anomaly detection (±20% variance, high tax, zero/negative net, bonus spikes)
- DomPDF payslips (employee can pull own, HR can pull any)
- Multi-currency with FX rate stored on run
- Expense reports with receipts + line-items, admin-defined categories
- Approval → reimbursement workflow with currency-aware audit trail
- Benefits plans (health / dental / vision / life / 401k) with per-tier pricing
- Coverage levels (self / spouse / family) with auto-scaling contributions
- Dependent registry with encrypted SSN at rest
- Open enrollment windows admin (outside the window, elections lock)
- Contractor invoices + mark-paid flow + Stripe Connect "Pay via Stripe"
Growth Reviews, OKRs, surveys
The soft side of HR, built as first-class modules.
- Performance cycles with self / manager / peer / upward review types
- Bulk Generate Reviews per cycle + inline reviewer assignment
- AI review summary on strengths + areas of improvement
- Reviewer + reviewee sign-off required to close a review
- OKRs: goals + key results, auto-progress from KR current/target
- Weekly check-ins (on-track / at-risk / off-track)
- 1:1 meetings with separate manager-only / employee-only / shared agenda fields
- AI 1:1 summarizer: digests shared notes into summary + action items
- Surveys: pulse, eNPS, custom (1–5 rating, 0–10 eNPS, free text)
- Anonymous responses + AI sentiment + theme extraction
Company Announcements, kudos, signatures
- Company announcements with pinning + publish date
- Kudos wall with emoji categories + reactions (also via Slack
/kudos) - Celebration widget (birthdays + work anniversaries today)
- Home-feed timeline (new hires, kudos, announcements)
- Signature requests: admin attaches a PDF + audience, queue at
/signatures - Canvas-drawn e-signatures with SHA-256 hash + IP + UA audit trail
- CSV roster export of who has & hasn't signed
- Document expiry reminders (visas, certs)
Admin & integrations Admin hub + settings
- Single Admin hub routing to every config screen
- AI provider settings (OpenAI / Anthropic / Gemini) — encrypted keys in DB
- Social login (Google / GitHub) via Socialite with per-provider DB toggle
- Integrations catalog: Stripe Connect, Slack slash commands, Calendly, Twilio
- Outbound webhooks (Slack / Teams / generic JSON) with event filtering, retry, delivery log, Test button
- Custom fields (typed: text, number, date, select, multi-select, file — per-entity)
- Bulk CSV employee import with downloadable sample at
/admin/bulk-import/sample.csv - Taxonomy CRUDs: job titles, locations, leave types, holidays, shift patterns, expense categories, skills catalog
- Performance cycles, onboarding templates, payroll config, open enrollment windows
- Roles & permissions toggle matrix (audit-logged)
Enterprise Security + compliance
- SCIM 2.0 endpoints at
/scim/v2/Users(list / create / show / patch) — Okta, Azure AD, JumpCloud - SCIM token issuance from Admin → Enterprise (raw token shown once, SHA-256 stored)
- Configurable rate limits per scope (login, quick_login, scim, webhooks, api, all)
- Scope-aware IP allowlist (admin / scim / login / all) with IPv4 + IPv6 CIDR + lockout guard
- Role delegation with start/end dates + nightly
delegations:reconcilecommand - Implied permissions granted alongside delegated ones (no dead-end 403s)
- Audit log: every privileged action recorded to
audit_logs - SIEM streaming at
/admin/compliance/audit.ndjson+audit.cef - GDPR / DPDP: self-service JSON data export with 7-day signed-URL download window
- Right-to-erasure workflow: admin-gated deletion queue, anonymize-on-process with full audit trail
- Field-level visibility rules table
- Two-factor authentication (TOTP) via Fortify; admin impersonation with visible banner
Experience Everyday delight
- Dark mode (OKLCH brand ramp, persistent per-user preference)
- Command palette (⌘K / Ctrl-K) with 40+ destinations
- Keyboard shortcuts (
gthend/i/f/e/t/p) - PWA with
manifest.webmanifest+ service worker - Offline IndexedDB queue (clock-in works offline, syncs on reconnect)
- Inbox: aggregates leave approvals, 1:1s, surveys, offers, signature requests, tasks
- Six fully localized languages: English, Spanish, French, German, Portuguese, Chinese
- Locale persists on
users.locale; emails render in the recipient's language - Quick-login demo buttons for your test environments
- "Ask HR" policy chatbot at
/ask-hrgrounded in uploaded policies
Plug in the tools your client already pays for.
All integrations live in a single admin page with encrypted credential storage. Bring your own API keys.
Each integration ships off by default. Enable the ones you need at Admin → Integrations with your own credentials — Arbor never bundles third-party API keys.
Why Arbor wins for SMBs.
| Arbor | BambooHR / Gusto | Build it yourself | |
|---|---|---|---|
| Price | One-time license | $6–$10 / user / month, forever | Dev time + ongoing maintenance |
| Where it lives | Your server | Vendor SaaS | Your server |
| Data ownership | Yours (MySQL) | Theirs | Yours |
| Source code | ✓ Full, un-obfuscated | ✗ | ✓ |
| Customize | ✓ Clean Laravel | Themes only | ✓ |
| AI | Bring your own key (8 features) | Extra add-on | DIY |
| Built-in integrations | 8 (Stripe, Slack, Calendly, Twilio, SCIM, webhooks, Google, GitHub) | 30–50 | 0 |
| Employees | Unlimited | Per-seat pricing | Unlimited |
| Shared hosting | ✓ No Redis / S3 / Postgres | N/A | Depends |
| Setup time | 10 minutes (web installer) | Hours of configuration | Weeks to months |
Nothing exotic. Runs on any LAMP host.
PHP
8.3+ (8.4 recommended)
Framework
Laravel 12 (13-ready)
Frontend
Livewire 4 + Tailwind v4 + Inter
Database
MySQL 5.7+ / MariaDB 10.4+
Auth
Fortify + Socialite + spatie/laravel-permission
PDFs
DomPDF (pure PHP)
AI
prism-php (OpenAI/Anthropic/Gemini)
Tests
Pest 4 (unit + feature + integration + browser) — 800+ tests
Tested on cPanel, Hostinger, SiteGround, and standalone Ubuntu VPS with nginx + php-fpm.
Designed to survive a security review.
Arbor handles payroll, bank details, and personal data — so it ships with the security primitives a buyer's IT team will actually ask about.
Your data, your server
No SaaS dependency. Every employee record, payslip, and document lives in the database you control. The only external call is the one-time AppTrovo license check at install (re-runnable on demand).
Encrypted PII at rest
Bank details, ID document numbers, and OAuth tokens are encrypted with Laravel's Crypt facade using your APP_KEY. Rotate the key and re-encrypt with one Artisan command.
Tamper-evident audit log
Every privileged action — role change, payroll commit, leave approval, settings edit — writes to audit_logs. Export as NDJSON or CEF for your SIEM.
IPv4 + IPv6 CIDR allowlist
Pin admin access to specific IP ranges. CIDR notation works for both IPv4 and IPv6 — useful for office networks, VPN ranges, or known SaaS egress.
GDPR / DPDP ready
Self-service data export (JSON of profile, leave, attendance, payslips, social-login links). Files land on the private disk with a 7-day signed-URL download window. Right-to-erasure flows through an admin-gated queue that anonymizes PII while preserving aggregate rows — every action audit-logged.
MFA + SSO + SCIM
TOTP two-factor authentication via Laravel Fortify. Social login (Google, GitHub) via Socialite is per-provider toggleable with audit-trail on every account-link event. SCIM 2.0 endpoints let Okta / Azure AD / JumpCloud auto-provision users.
Ten minutes, five steps. No SSH required.
Arbor ships with a polished web installer that verifies your AppTrovo license
on the spot. Vendor packages and built assets are pre-bundled — your buyer never needs
composer or npm on their server.
Server check
PHP version, extensions, writable dirs — validated in the browser.
License
Enter your AppTrovo key. Arbor contacts apptrovo.com and binds to this domain.
Database
Enter MySQL credentials. A PDO probe tests the connection before saving .env.
Admin
Create the first admin user (name, email, password).
Finalize
Run migrations, seed roles, write the lock — ready to sign in.
Everything you need, nothing you don't.
- Full Laravel source (no obfuscation)
- Pre-built
vendor/directory (no composer on server) - Pre-built
public/build/assets (no npm on server) - 5-step web installer with AppTrovo license verification
- Self-heal for upgrades (existing installs auto-lock)
- Clean
.env.examplewith every documented variable - 800+ Pest tests (unit, feature, integration, browser)
INSTALL.md— step-by-step for cPanel / VPS / etc.CHANGELOG.md— full feature manifest for v1.0.0docs/AI_SETUP.md— OpenAI/Anthropic/Gemini walk-throughdocs/SOCIAL_AUTH_SETUP.md— Google + GitHub OAuthdocs/FEATURES.md— every module, every flow- Six fully localized languages: English, Spanish, French, German, Portuguese, Chinese
- SVG app icons (192/512) for PWA + inline data-URI fallback
- GitLab CI example (
.gitlab-ci.yml) for automated deploys
Answers before you click buy.
Yes. Arbor uses MySQL and the database driver for queue / cache / session — no Redis, no Postgres, no S3, no Reverb. DomPDF is pure PHP. Vite assets and composer vendor are pre-built in the archive.
No. The installer is web-based. You upload the extracted folder, set the document root to /public, and visit the domain — the wizard handles migrations, seeds, admin creation, license verification, and the .env file.
No. AI is entirely optional. When no provider key is configured, AI-powered buttons gracefully return a placeholder string — the rest of the app works normally. Connect keys only when you're ready to pay for the AI provider.
Unlimited. Arbor runs against your own MySQL — there's no user cap baked into the code.
Yes. The source is clean, un-obfuscated Laravel — swap the logo, edit the brand palette in resources/css/app.css (Tailwind v4 OKLCH tokens), set APP_NAME + mail identity in .env, edit the copy. Localize the lot via the six built-in language packs or add a seventh by copying lang/en.
Google + GitHub via Socialite out of the box, each toggled per-provider in Admin → Social login. Two-factor authentication (TOTP) ships via Laravel Fortify. SCIM 2.0 endpoints are included for enterprise customers to auto-provision users from Okta, Azure AD, or JumpCloud.
During install you enter the license key from your AppTrovo purchase. Arbor binds the license to your domain at install time — no per-page network calls and no telemetry after that. Moving to a new domain? AppTrovo support can release your activation slot.
Upload the new files over the old install and run the standard Laravel migration step. Existing installs are detected automatically — the wizard stays dormant.
Yes — see the Live preview link on the AppTrovo listing. Four one-click demo-login buttons let you explore as admin / HR / manager / employee.
Every user has self-service data export (JSON of profile, leave, attendance, payslips, social-login links) with a 7-day signed-URL download window. Deletion requests flow through an admin-gated queue that anonymizes PII while preserving aggregate rows required for compliance. Every privileged action is recorded in the audit log, with optional NDJSON / CEF streaming to your SIEM.
Demo Credentials
| Role | User | Pass |
|---|---|---|
| Admin |
admin@arbor.test
|
|
| HR |
hr@arbor.test
|
|
| Manager |
manager@arbor.test
|
|
| Employee |
employee@arbor.test
|
Item Details
Tech Stack
Tech Stack
Database
Deployment
Authentication
Payment Integration
Hosting Compatibility
Frontend Framework
Multi-tenancy
Mobile Responsive
Real-time Features
License Type
Support Period
Dark Mode
Comments (0)
Sign in to leave a comment
Log in →No comments yet. Be the first to comment!