Documentation | Honpain Technologies

Overview

The Honpain Technologies Payslip Distribution System is a Django-based SaaS platform that automates the upload, encryption, and secure email delivery of employee payslips. It is purpose-built for organisations in Papua New Guinea that need a reliable, compliant, and audit-ready payroll delivery workflow.

Minimum requirements to run the platform:

Python 3.12+
Django 5.1+
PostgreSQL 17+
Redis 7+ (Celery task queue and WebSocket layer)
Docker + Docker Compose (recommended deployment method)

What the platform does in practice:

Upload a single multi-page PDF — the system automatically splits and routes each page to the correct employee
Encrypt every payslip PDF before delivery (password = employee number)
Bulk-send payslips to all employees or send individually
Employees log in to a self-service portal to access their payslip history at any time
Full audit trail of every login, upload, distribution, and download event
Per-organisation email sending — use your own SMTP server, SendGrid, Mailgun, MailerSend, and more

First-time administrators: sign in and change your temporary password immediately. Use the password change form at Account → Change Password.

If your organisation is not yet registered on the platform, you can sign up for a free 30-day trial:

Go to /licenses/signup/ or click Sign Up in the navigation.
Enter your Organisation name, Organisation initials, your full name, email address, and a password.
Tick the Terms of Service checkbox and click Create Account.
Check your inbox — a confirmation email has been sent to the address you provided.

After confirming your email, you are automatically logged in and taken to your organisation's dashboard. Your account is set up on the Free plan with a 30-day licence. Contact your Platform Administrator to upgrade.

Email Confirmation

After signing up (or being added by an admin), you receive an email with the subject "Confirm your Honpain account". Click Confirm Email in the message to activate your account. Confirmation links are valid for 24 hours.

Link expired? Ask your Organisation Admin to resend the confirmation from the employee management screen, or ask the Platform Superadmin to manually activate your account via the User Activation page.

Go to /accounts/login/ (or click Sign In in the navigation). Enter your username (or email) and password, then click Sign In.

Organisation Admins are taken to the Express Distribution dashboard.
Employees are taken to their payslip portal (/payslips/home).

Remember Me: Tick this before signing in to stay logged in for up to two weeks, even after closing the browser. Leave it unticked for a session that expires when you close the browser.

If your platform administrator has set up Google or Microsoft OAuth, you will see Continue with Google and Continue with Microsoft buttons on the sign-in page. Click either button to sign in using your existing Google Workspace or Microsoft 365 account — no separate password is required.

If you already have an account on the platform with the same email address, the social account will be linked to it automatically. No duplicate accounts are created.

Administrator setup required: Social login requires OAuth credentials from Google Cloud Console (for Google) and Azure App Registrations (for Microsoft), added to the .env file before deployment. Contact your Platform Superadmin to enable this feature.

Password Reset

Click Forgot password? on the sign-in page.
Enter your email address and click Send Reset Link.
Check your inbox for an email with subject "Password Reset".
Click the link in the email and enter your new password twice.
Click Set New Password — you are taken to a confirmation page.
Click Sign In to log in with the new password.

Reset links expire after 24 hours. If yours expires, simply repeat the process from step 1. Password reset emails are sent via your organisation's configured email provider.

Subscription Plans

Honpain Technologies offers five plans. All plans include PDF password protection and download tracking. Capacity limits reset at the start of each billing cycle.

Plan	Price	Employees	Sends/month	Distribution	Key Inclusions
Free	K0	10	20	Express only	Employee Portal, Express Distribution
Basic	K500 / month	50	100	Normal (bulk)	Bulk Distribution, Employee Portal, Email Support, PDF Password Protection, Download Tracking
Standard ⭐	K1,200 / month	200	400	All types	Employee Portal, Analytics, Custom SMTP, Priority Support
Professional	K2,500 / month	1,000	2,000	All types	Multiple Admins, Analytics, Full Audit Trail, Custom SMTP
Enterprise	Custom	Unlimited	Unlimited	All types	All features + REST API, Dedicated Manager, SLA & Phone Support, White-label Option

Distribution types explained:

Express only — single-employee immediate send; no bulk distribution
Normal (bulk) — send to all matched employees at once via employee email addresses
All types — bulk via employee emails, bulk via distribution lists, and single-send

Plan limits are enforced automatically. Approaching your seat limit triggers a warning on the Organisation Dashboard. Submit a renewal or upgrade request from the dashboard and your Platform Administrator will action it.

Roles & Access Control

The platform uses three access tiers. Users can only access features and data appropriate to their role — no admin can see another organisation's data.

Role	Can do	Restrictions
Superadmin	Full platform access — all organisations, all plans, Django admin panel	—
Organisation Admin	Manage employees, upload & distribute payslips, view audit logs, configure email settings	Own organisation only; cannot create/edit subscription plans; bulk distribution requires plan ≥ Basic
Employee	View and download own payslips via the portal	No admin access; blocked entirely if Has Portal Access is revoked

Audit logs are strictly org-scoped — Organisation Admins only see events from their own organisation. Superadmin login events are not stored in any organisation's audit log.

Managing Employees Admin

Employee records are the foundation of the platform. All payslip matching, distribution, and portal access are tied to an employee record. Navigate to Administration → Users & Roster in the sidebar.

Three tabs are available: Employees, Admin Users, and Import / Sync.

To add a single employee: click Add Employee, fill in the required fields (Full Name, Email, Employee Number), choose the user type (Admin or User), optionally set a temporary password, then click Save.

Portal access and licence seats: Each employee with Has Portal Access = Yes consumes one licensed seat. When you reach your plan's seat limit, additional employees are stored in the system but cannot log in or receive payslips until you upgrade your plan.

Bulk Employee Upload Admin

Who can do this? Organisation Admins and Superadmins. This is the recommended approach for any organisation with more than a handful of employees.

Prepare a CSV or Excel file with the columns described below.
Go to Administration → Users & Roster → Import / Sync tab.
Drop your file onto the upload area, or click Choose File.
Click Import Employees.
A summary banner confirms how many records were created, updated, and skipped.

The import is non-destructive — it never deletes existing records. Each row is processed as an upsert: matched by Employee Number first, then by Email. You can safely re-upload the same file after corrections; duplicates are not created.

CSV / Excel Column Reference

Column name	Required	Description
`Employee Number`	Recommended	Unique payroll ID. Used to match payslips to employees. Auto zero-padded to 8 digits. If omitted, email is used as the unique key.
`Full Name`	Required*	Employee's full name. Can be replaced by `First Name` + `Last Name` columns.
`First Name`	Optional	Combined with `Last Name` when `Full Name` is absent.
`Last Name`	Optional	Combined with `First Name` when `Full Name` is absent.
`Email`	Required	Employee's email address. Payslips and portal credentials are sent here. Rows missing an email are skipped.
`Temp Password`	Optional	If supplied, a portal login account is created. Employees should change it on first login. If omitted, no login account is created.
`Phone Number`	Optional	Stored for reference.
`Department`	Optional	Used for filtering and reporting.
`Job Title`	Optional	Stored for display in the employee list.

* Rows missing both Full Name and a First Name/Last Name pair are skipped with a warning.

Example file

Employee Number,Full Name,Email,Temp Password,Phone Number,Department,Job Title
00000001,John Kila,[email protected],Welcome1!,70000001,Finance,Accountant
00000002,Mary Temu,[email protected],Welcome1!,70000002,HR,HR Officer
00000003,Peter Mond,[email protected],,70000003,ICT,Systems Analyst
00000004,Susan Baro,[email protected],Welcome1!,,Operations,

Row 3 (Peter Mond) has no Temp Password — his record is created but he cannot use the portal. Row 4 (Susan Baro) has no phone or job title; those columns are simply left blank.

Uploading Payslips Admin

Bulk payslip upload accepts a single PDF file containing multiple payslips — one or more pages per employee. The system extracts, splits, and maps each page to the correct employee record automatically.

Navigate to Payslip Management → Load Data in the sidebar.
Click Upload Payslip PDF.
Select the Pay Period End (PPE) date and Year.
Drag your PDF onto the upload area, or click Choose File. Maximum file size: 200 MB.
Click Upload. The system extracts page text in the background and creates the upload record.

Processing

After uploading, you must trigger processing to split the PDF and create individual payslip records:

Go to Payslip Management → Load Data — find the upload in the list.
Click the upload to open its detail page.
Click Process.
Monitor progress under Background Tasks — wait for status SUCCESS.

Payslip Mappings

After processing, check Payslip Management → Payslip Mappings to confirm all pages were correctly matched to employee records. Unlinked payslips appear with a red badge — the system could not find an employee with a matching number.

To fix an unlinked payslip: click the record, choose the correct employee from the dropdown, and click Link.

To auto-link all remaining unlinked records: click Link All Unlinked. Any pages still unmatched after this step require manual review.

Distribution Admin

Payslips can be distributed three ways:

Bulk Distribution — send to all matched employees for a Pay Period in one job
Express Distribution — immediate single-employee send without storing data
Custom / Single Distribution — send an individual payslip to a specific email address

All bulk jobs run as background Celery tasks. Monitor progress under Background Tasks. Each payslip is automatically encrypted before delivery — the PDF password is the employee's number.

Bulk Distribution

Navigate to Payslip Management → Bulk Actions → Distribute.
Select the Year and PPE.
Choose the distribution mode: Employee Email (sends to the address stored on the employee record) or Distribution List (sends to a pre-loaded list).
Click Distribute. The job is queued as a background task.

Plan requirement: Bulk distribution requires a plan with Normal or All distribution type (Basic plan or higher). Free plan is express-only.

Express Distribution

Available on all plans including Free. Use the main landing page after login or navigate to Express Distribution. Upload a single-page payslip PDF, enter the employee's email and employee number, then click Send. The payslip is encrypted and sent immediately without storing data.

Single / Custom Distribution

On the Bulk Actions → Distribute page, use the per-row Send button to send an individual payslip to a specific (or alternative) email address. A dialog lets you confirm or change the recipient before sending.

Compatibility Test Admin

Before distributing, run the Compatibility Test from the payslip upload detail page. It checks:

PDF validity — file is a readable, well-formed PDF
Employee ID matching — each page's embedded employee number exists in the roster
Email address — matched employees have a valid email address on file
Encryption readiness — file can be encrypted using PyPDF2
File size — total file is within the 200 MB limit
Duplicate detection — same PPE + employee not already sent

Results are shown in a table. Fix all red rows before distributing.

Background Tasks Admin

Navigate to Payslip Management → Background Tasks to monitor all distribution and processing jobs you have triggered. The page polls for live status updates every few seconds.

Status	Meaning
PENDING	Queued — waiting for a worker to pick it up
STARTED	Celery worker has started the task
PROGRESS	Running — progress bar shows completion %
SUCCESS	Completed successfully
FAILURE	Failed — click the row to see the error and use Retry

To retry a failed task, click its row and click Retry. A new task is created with the same parameters. Tasks are scoped to the current user — you only see jobs you triggered.

Distribution Lists Admin

Distribution lists are named collections of email addresses loaded from a CSV or Excel file. They allow you to define custom recipient groups — for example, employees at a specific site or in a specific department — and use them as the recipient set for bulk distribution jobs.

Navigate to Administration → Distribution List. Click Add Distribution List, provide a name, upload your CSV/Excel file, and click Save. When running bulk distribution, choose Distribution List mode and select the list you want to use.

Email & Provider Settings Admin

Each organisation can configure its own email provider under Administration → Site Settings → Email Provider tab. Three providers are supported. All outgoing emails — payslip delivery, password reset, test emails — use the configured provider.

If no org-level provider is configured, the system falls back to the global settings configured by the Platform Superadmin, and then to the values set in the server's environment variables.

SMTP (default)

Use your own mail server or an SMTP relay

Works with any SMTP server: Gmail, Google Workspace, Outlook, custom corporate mail servers, or relay services like Amazon SES.

Field	Description	Example
`SMTP Host`	Mail server hostname	`smtp.gmail.com`
`SMTP Port`	Usually 587 (TLS) or 465 (SSL)	587
`Username`	Your email login	`[email protected]`
`Password`	Email password or app-specific password	—
`Use TLS`	Recommended. Tick unless your server requires SSL.	✓ checked
`Default From`	Sender address employees see	`HR Team <[email protected]>`

Gmail / Google Workspace: You must create an App Password in your Google account security settings (requires 2FA). Your regular Gmail password will not work with SMTP.

Anymail — SendGrid, Mailgun, Postmark, SparkPost, Mailjet New

API-based transactional email for higher deliverability

Uses the django-anymail library to connect to your chosen transactional email provider via its API — no SMTP configuration required.

SendGridMailgunPostmarkSparkPostMailjet

Select Anymail as the provider on the Email Provider tab.
Select your sub-provider (e.g. SendGrid) from the dropdown.
Paste your API Key from your provider's dashboard.
For Mailgun only: also enter your verified Sender Domain.
Set your Default From Address (must be a verified sender in your provider).
Click Save, then click Send Test Email to verify.

MailerSend New

MailerSend transactional email API

Connects via the Anymail MailerSend backend. Requires a MailerSend account with a verified sending domain.

Select MailerSend as the provider.
Paste your API Token from the MailerSend dashboard.
Set your Default From Address (must be on a verified domain in MailerSend).
Click Save, then click Send Test Email.

After saving any provider configuration, always use Send Test Email to confirm delivery before your next distribution run. The test message is sent to your logged-in account's email address.

Email Templates Admin

Navigate to Administration → Site Settings → Email Templates tab to customise the subject line and body of the payslip email your employees receive.

Available placeholders:

Placeholder	Replaced with
`{employee_name}`	Employee's full name
`{employee_number}`	Employee's payroll number (also the PDF password)
`{ppe}`	Pay period end date / code
`{year}`	Payroll year

If both the subject and body fields are left blank, the system uses built-in defaults. Click Save Templates to apply changes — all future distributions will use the new templates.

Organisation Settings Admin

Navigate to Administration → Site Settings → Organisation tab. View and edit your organisation's basic details (name, initials, payroll system). The bottom of this tab shows read-only licence information: current plan, licence status, expiry date, staff ceiling, and licence key.

To request a plan upgrade or renewal, contact your Platform Superadmin. The licence status is enforced automatically — when Expires At passes, users are redirected to a "Licence Expired" page on their next page load.

Audit Logs Admin

Navigate to Administration → Audit Report → Audit Logs. The platform maintains a complete, org-scoped audit trail of all significant actions:

Login and logout events
Employee record create, update, and delete
Payslip upload and distribution jobs
Portal payslip downloads

Filters: Filter by user, action type, and date range. Export: Click Export CSV to download the filtered log as a spreadsheet.

Audit logs are strictly org-scoped. Organisation Admins only ever see events from their own organisation. Superadmin login events are not stored in any organisation's audit log.

Reports Admin

Navigate to Administration → Audit Report → Reports. The Reports tab shows distribution summaries grouped by time period — number of upload batches, employees covered, and payslips processed. Select Monthly, Yearly, or Custom range. Click Export CSV to download.

Analytics Admin

Navigate to Administration → Audit Report → Analytics. Shows email delivery and employee engagement metrics for your organisation.

Metric	Description
Total Sent	Payslip emails delivered successfully
Total Failed	Emails that encountered a delivery error (see error details in the log)
Delivery Rate	% of payslips successfully delivered
Portal Downloads	Number of payslip downloads from the employee self-service portal

The page auto-refreshes every 30 seconds. Click Export CSV to download the data.

Why portal downloads instead of email opens? Email open tracking via embedded pixels is blocked by most modern clients (Apple Mail Privacy Protection, Gmail image proxy, etc.) and produces inaccurate counts. Portal downloads are a more reliable signal that an employee has actually received and viewed their payslip.

Employee Portal Employee

Employees sign in at /accounts/login/ and are taken directly to their payslip list at /payslips/home. They can view and download their entire payslip history — no admin features are available from this view.

Use the Year and Month dropdowns to filter. Type in the search box to find a payslip by PPE code or date.

Downloading Payslips

Click Download next to any payslip in your list. Your browser downloads a password-protected PDF. Each download is logged — your Organisation Admin can see download counts and timestamps per document.

If you see a "Portal access has been revoked" message, contact your Organisation Admin — your portal access has been suspended (usually because your organisation has reached its plan limit or your employment has ended).

Opening an Encrypted PDF

All payslips are password-protected. When you open the downloaded PDF, your PDF reader will prompt for a password.

Your password is your Employee Number (e.g. 00000001).

Your employee number is the payroll ID assigned by your HR department. If you do not know your number, contact your Organisation Admin.

System Administration Superadmin

Platform Superadmins access the Django admin interface at /admin/ using a superuser account. The admin panel is the low-level management interface for:

Inspecting and editing any record across all organisations
Viewing email delivery logs (PayslipEmailLog) and task records (TaskStatus) for debugging
Managing global SiteSettings (the fallback email configuration used by organisations that haven't set their own)
Assigning custom Django permissions to users
Activating unconfirmed user accounts at /licenses/users/activate/

Licence Management Superadmin

Superadmins manage organisations and subscription plans via Administration → License Management in the sidebar.

To renew a licence: edit the organisation, update Expires At to the new expiry date, ensure Is Active is checked, and click Save.

To upgrade a plan: edit the organisation and change the Subscription Plan field.

Licence enforcement: when Expires At passes, the LicenceExpiryMiddleware redirects all authenticated users in that organisation to a "Licence Expired" page on their next request. No data is deleted — renewing the licence restores full access immediately.

API Reference

The platform exposes internal API endpoints used by the frontend and available for integration. Authentication uses Django session cookies; write operations require a valid CSRF token.

Task Status

GET /employee_distribution/api/task-status/
  → Returns status for all tasks belonging to the current user
  → Used by the Background Tasks page for live polling

Response: [{task_id, status, meta, task_type}, ...]

Payslip Email Log

GET /api/audit/reports/
  → Lists audit reports for the current organisation (org-scoped)
  → Superusers see all organisations' reports

Employee Endpoints

GET  /api/employees/          — list employees (org-scoped, paginated)
POST /api/employees/          — create employee
PATCH /api/employees/{id}/    — update employee fields

Payslip Endpoints

GET  /api/payslips/           — list payslips (org-scoped)
POST /api/payslips/{id}/link/ — link payslip to employee record

Troubleshooting

Bulk import shows "0 created, 0 updated"

All rows were skipped. Common causes:

Missing or mis-named column headers — check that Full Name (or First/Last) and Email columns exist
Hidden BOM marker at the start of the file (common with Excel-saved CSVs) — open in a text editor and resave as UTF-8
Extra spaces in header names (e.g. Email instead of Email)

Employee cannot log in

Check in order: (1) Has the employee clicked the confirmation email link? (2) Is Has Portal Access checked on their record? (3) Has your organisation reached its licensed seat limit? (4) Is the account active in the Django admin?

Payslips show as "Unlinked"

The employee number in the PDF did not match any record. Check for formatting differences (e.g. 1 vs 00000001). Use Payslip Mappings → Link to manually assign, or use Link All Unlinked.

Emails not being received

Check the Analytics tab — if the email shows status = failed, the error message indicates the cause. Go to Site Settings → Email Provider and use Send Test Email to verify your configuration. For Gmail, use an App Password (not your regular password). Check the employee's spam/junk folder.

Password reset email not received

Verify the organisation's email provider settings are correctly configured and test with Send Test Email. Check spam/junk. Ask the Organisation Admin to verify the employee's email address on their record.

Background task stuck as PENDING

The Celery worker may not be running. Ask your Platform Superadmin to check the worker logs (make logs-celery) and restart if needed (make restart-celery).

PDF password not working

Your password is your Employee Number zero-padded to 8 digits (e.g. 00000001, not 1). Contact your Organisation Admin to verify the exact number stored on your record.

Licence expired — cannot access the platform

Contact your Organisation Admin. They can view the expiry details on My Organisation and request a renewal from the Platform Superadmin. No data is deleted; renewing restores access immediately.

SMTP test email fails

Re-check your credentials. For Gmail, ensure you are using a 16-character App Password, not your account password. For other providers, confirm the SMTP host and port are correct and that TLS/SSL is set correctly. Some corporate firewalls block outbound SMTP on port 587 — try port 465 (SSL) as an alternative.

Platform Documentation

Contents