We have a number of companies using Upfort Shield that are HIPAA compliant. While we are not certified HIPAA compliant, those companies are comfortable using Upfort based on a review of our privacy policy (https://www.upfort.com/privacy-policy).
We don't store any PII when your users are completing our security trainings, phishing simulations, and vulnerability scans. The only instance we may store PII is when an email has been flagged by our Inbox Defender tool. The data contained within the email is stored and used solely to train our machine-learning models.
For more information about how we keep your data safe, please see this article. And if you would like to discuss this further please reach out to contact@upfort,com.