Security and Privacy in Spirare Web

Security is a core priority in Spirare Web. The solution is designed with privacy by design principles in accordance with the General Data Protection Regulation (GDPR). The service is hosted in an ISO 27001-certified data centre located in Sweden. Diagnostica AS is committed to maintaining a high level of information security through our Quality Management System (QMS), covering all aspects of software development, customer support, and operations.

At implementation, a Data Processing Agreement (DPA) is established with the customer. We also provide a template Data Protection Impact Assessment (DPIA) to support data controllers in their privacy assessment process. We recommend regular reviews of user access logs and user authorisations, both of which are integrated into Spirare Web.

In the event of a security incident involving personal data, Diagnostica AS will notify affected customers in accordance with applicable data protection legislation, including the GDPR.


Medical Device Regulations, Medical Device Class IIa og ISO 13485
Diagnostica AS operates a Quality Management System certified to ISO 13485:2016. Spirare Web is classified as a Class IIa medical device and is certified in accordance with Regulation (EU) 2017/745 on Medical Devices (MDR).

Electronic Referral

Spirare Web enables healthcare professionals to securely share examination results across healthcare organisations, supporting continuity of care while complying with applicable privacy and data protection regulations.

Shared examinations are accessed using a unique access code. The receiving healthcare professional authenticates using the national electronic identity service (where available) together with the access code. All access is fully logged and auditable. Spirare Web verifies that only authorised healthcare professionals are granted access to shared patient information. Access for the receiving healthcare provider is provided at no additional cost.

Secure Sign-In

Spirare Web supports secure authentication through national electronic identity (eID) services where available. User authentication is based on trusted identity providers that comply with the highest assurance levels defined by the eIDAS Regulation (Level of Assurance: High), providing strong authentication for healthcare professionals accessing the system.

User Management

sers within the healthcare organisation can access Spirare Web according to their assigned roles and permissions. During implementation, one user is designated as the system administrator and is responsible for creating and managing user accounts. Users authenticate through the organisation's configured electronic identity (eID) solution. In some Electronic Health Record (EHR) systems, user accounts are created automatically the first time a user launches Spirare Web from within the EHR.

As described earlier, external healthcare professionals who need to review examination results do not require a permanent user account. Instead, they authenticate using a trusted electronic identity (eID) service and are granted secure, time-limited access to the shared examination. The healthcare professional sharing the examination defines how long access remains available. All authentication events and user activities are fully logged and auditable.

Data Storage

Spirare Web is hosted by ElastX AB in ISO 27001-certified data centres located in the Stockholm region, Sweden. Customer data is stored and processed in isolated environments and is never shared between organisations unless explicitly authorised.

For customers using Spirare PC Plus, examination data is also stored locally in the customer's own database or Microsoft SQL Server, where applicable, providing a hybrid deployment model.

Software Updates 
Spirare Web is continuously enhanced with new features and improvements. We welcome feedback from our users and encourage you to contact Diagnostica AS with any questions, suggestions, or feature requests.

Standards Used in Spirare Web

Spirare Web stores all clinical data in a FHIR-based database hosted by our cloud service provider, using internationally recognised healthcare standards, including:

  • HL7 FHIR R5
  • SNOMED CT
  • ISO/IEEE 11073

The solution is built on the FHIR resources DiagnosticReport, Procedure, and Observation, enabling standardised and interoperable exchange of healthcare information.

Diagnostica is committed to interoperability and actively collaborates with healthcare organisations and technology partners to promote secure and seamless exchange of health data.

Standardized EHR Integration (SMART on FHIR)

Spirare Web supports SMART on FHIR, the recommended standard for integrating clinical applications with Electronic Health Record (EHR) systems. In EHRs that support SMART on FHIR, users can typically launch Spirare Web directly from the application's Apps menu or a similar interface. The application opens seamlessly within the EHR, with the correct patient context already established.

This provides a more interactive user experience than traditional document-based integrations, allowing clinicians to review, compare, and analyse examination results directly within the clinical workflow.

Where supported by the EHR, single sign-on (SSO) enables users to access Spirare Web without signing in again.

Offline Use

Some users, such as occupational health professionals working on-site or healthcare providers in areas with unreliable internet connectivity, may occasionally need to work without network access.

For organisations that primarily use Spirare Web but require offline capability, Spirare PC Plus can be used as a local alternative. Examinations performed and stored in the local PC application can be synchronised with Spirare Web automatically once an internet connection becomes available.