
Introduction
In a modern clinical trial, the data that matters most rarely comes entirely from the EDC. Central lab results, ECG interpretations, ePRO responses, PK samples, imaging reads, wearable sensor data, and safety reconciliation outputs are all generated by third-party vendors - and every one of those vendors must be actively managed by the Clinical Data Management team.
Vendor management in CDM is the structured oversight of third-party vendors that collect, transfer, process, or report clinical trial data. It spans the entire study lifecycle: from vendor selection and contracting through data transfer review, ongoing oversight, reconciliation, and final closeout sign-off.
The vendor owns the service. The CDM owns data oversight.
What Is Vendor Management in CDM?
Vendor management is structured oversight - not passive receipt of data files. Four dimensions:
- Documentation Oversight - DTA, DTS, reconciliation plans, transfer trackers, and UAT sign-off evidence must be current, approved, and in the TMF
- Data Quality Oversight - Each incoming transfer reviewed for completeness, format compliance, subject ID matching, and data consistency
- Data Source Oversight - Data received matches what the vendor's system collected; discrepancies between source and transfer file are investigated, not assumed
- Secure Data Transfer - Data moves through approved, encrypted pathways (SFTP, secure portal); no unencrypted transfers of participant-level data
Why vendor management is a CDM priority:
- Protects data integrity and participant safety - vendor data feeds directly into safety analyses and endpoint datasets
- Under ICH GCP E6(R2) Section 5.2, the sponsor remains responsible for data integrity even when a vendor performs the work. CDM vendor oversight fulfils this regulatory obligation - inspectors assess whether the sponsor has adequate oversight of their vendors, not just whether the vendor performed the service
- Enables reliable reconciliation with EDC - without structured oversight, reconciliation is impossible to perform or defend
- Prevents delays in database lock and reporting - vendor data issues are among the top contributors to lock delays
Common Vendors in Clinical Trials
| Vendor Type | Data Produced |
|---|---|
| Central Lab | Hematology, chemistry, urinalysis, biomarkers |
| Imaging Vendor | MRI, CT, x-ray assessments and reader outputs |
| eCOA / ePRO | Diaries, questionnaires, VAS, patient-reported scales |
| Wearable / Device | Heart rate, activity, sleep, and continuous sensor data |
| ECG Vendor | ECG intervals, waveform data, and clinical interpretation |
| PK / PD Lab | Pharmacokinetic samples, PD biomarkers, concentration data |
| IRT / Randomisation | Randomisation assignments, kit assignments, dosing support |
| Safety / PV Vendor | SAE reconciliation, AE/SAE matching outputs |
Each vendor introduces unique data flows, reconciliation needs, and oversight risks. The CDM approach must be tailored to each source.
Vendor Management Lifecycle: Five Stages
- Vendor Selection - Evaluate capability, systems, experience, and compliance. Does the vendor support CDISC-aligned formats? What are SLA commitments for timeliness? Will the vendor participate in UAT?
- Contracting, Setup, and Specifications - Define roles, DTA, DTS, data flow, reconciliation plan, and timelines. This is the highest-leverage stage: every requirement defined here is a requirement that does not need to be retroactively negotiated during live data collection
- Startup and UAT - Test transfers, validate setup, confirm mapping, and review edit checks. UAT for vendor data transfer confirms: file arrives in specified format, all expected fields are present, Subject ID and visit/timepoint mapping is correct
- Ongoing Oversight - Monitor transfers, data quality, reconciliation status, issues, and KPIs throughout the study. Define a regular review cadence and maintain a transfer tracker reflecting current state of every data source
- Final Transfer and Closeout - Confirm final clean data received, complete reconciliation, and obtain vendor sign-off documentation before database lock
Strong setup reduces downstream data issues. Every hour invested in Stage 2 prevents multiple hours of remediation in Stages 4 and 5.
Key Documents CDMs Must Oversee
DTA - Data Transfer Agreement: High-level agreement defining transfer method, frequency, security requirements, responsibilities, and escalation contacts. The "what and when."
DTS - Data Transfer Specification: Technical blueprint for the data file - dataset names, variable names, formats, controlled terminology, units, and data files. The "how and what it looks like." Every reconciliation check is performed against the DTS.
DTA defines expectations. DTS defines the data file. Both must be approved and aligned before the first transfer.
DPA - Data Processing Agreement: Under GDPR Article 28, any third party processing personal data on behalf of the sponsor must have a DPA in place before processing begins. Every lab, ePRO vendor, imaging vendor, or wearable provider that receives participant-level data requires a DPA. Confirm DPAs are in place for all in-scope vendors at setup - not as a retrospective check. The DPA is distinct from the DTA: the DTA defines transfer mechanics; the DPA defines privacy roles and responsibilities.
DMP - Data Management Plan: Defines how vendor data is integrated into the overall data management process - which vendors are in scope, how data is received and QC'd, where it maps in the EDC or SDTM structure, and when reconciliation occurs.
Reconciliation Plan: Defines how vendor data will be compared with EDC/source data - matching fields, expected matching rate, discrepancy classification, and issue resolution process.
Transfer Tracker: Tracks all transfers: date received, file version, issues identified, decisions made, and resolutions. The operational audit trail for vendor data management.
UAT Evidence and Sign-Off: Confirms system setup and data transfers are validated and approved before go-live.
DTA vs DTS: What CDMs Must Know
| DTA | DTS | |
|---|---|---|
| What it defines | Transfer expectations | Exact file structure |
| Content | Method, frequency, security, responsibilities | Dataset names, variable names, formats, units, controlled terms |
| Level | High-level agreement | Technical blueprint |
| Focus | "What" and "when" | "How" and "what it looks like" |
When a vendor delivers a file that does not match the DTS, the DTS makes the issue unambiguous. A reconciliation finding not explained by the DTS is a gap in the DTS - resolve through formal DTS amendment, not an ad hoc workaround.
Vendor Data Flow: Source to Database
| Step | Description | CDM Activity |
|---|---|---|
| 1. Site / Participant / Device | Source of observations and data capture | Protocol compliance; matching eCRF data |
| 2. Vendor System | Collects and processes data | Vendor setup confirmed in UAT |
| 3. Data Transfer | CSV, SAS, API, or SFTP | Transfer receipt confirmed per DTA timeline |
| 4. CDM QC & Transfer Review | Format, completeness, and accuracy checks | Oversight checklist applied to every transfer |
| 5. EDC / SDTM Mapping | Data integration and mapping | Mapping confirmed against DTS; discrepancies flagged |
| 6. Reconciliation + Queries | Match with EDC/source data; resolve discrepancies | Tracker updated; queries raised as needed |
| 7. Database Lock | Clean, traceable, analysis-ready data | Final reconciliation sign-off; vendor closeout confirmed |
CDM Oversight Checklist: Six Questions for Every Transfer
- Was the transfer received per the DTA/DTS timeline? - Log late transfers; assess downstream impact
- Are all expected subjects, visits, and timepoints included? - Missing records require investigation before assuming
- Do Subject ID, Visit Date/Time, Units, and Test Names match the DTS? - Any deviation requires formal investigation and documentation
- Are missing, duplicate, or unexpected records identified? - Classify: vendor file error, site data entry issue, or protocol deviation?
- Does vendor data reconcile with EDC/source data? - Document the outcome; all discrepancies must be tracked and resolved
- Are corrections documented, versioned, and traceable? - Every corrected file must be logged as a new version with documented rationale
Common Vendor Issues and CDM Response
| Issue | CDM Response |
|---|---|
| Late transfer | Log the issue; follow up with vendor; assess downstream impact on data review and lock timelines |
| Wrong format | Reject the file or request corrected file; do not manually reformat without documented authorisation |
| Missing Subject ID | Query vendor or site; never guess - ID mismatches must be formally resolved |
| Visit or unit mismatch | Confirm expected mapping against the DTS before investigating |
| Data changed without flag | Request change reason and audit trail; an unexplained data change is a data integrity issue |
| Unblinded data sent to blinded team | Escalate immediately - this is a blinding breach and protocol deviation. Escalate to sponsor/medical monitor/DSMB. Document formally: who received the data, what data, when, actions taken, and impact assessment. Do not continue working with unblinded data without explicit sponsor instructions |
Repeated issues should be escalated to PM, sponsor, and vendor governance. Repeated issues that are not formally escalated are implicitly accepted as normal - which they are not.
Best Practices for CDM-Led Vendor Management
- Define clear roles, responsibilities, and escalation pathways - Every vendor engagement needs a named CDM owner, vendor contact, and escalation path; ambiguity in ownership creates delays
- Use precise DTA and DTS - and keep them updated - Protocol amendments, new vendors, or format changes must trigger formal DTA/DTS amendments; never reconcile against an outdated DTS
- Perform thorough UAT before the first data transfer - Test end-to-end: send a test file, receive it, confirm format, map to EDC, run reconciliation check; vendor integration UAT is as important as EDC UAT
- Monitor KPIs and vendor performance trends - Track: transfer timeliness rate, re-send rate, reconciliation discrepancy rate (per 100 records), and days-to-resolution for open discrepancies. Declining KPIs signal a vendor requiring proactive escalation
- Maintain strong documentation and audit trail for all decisions - Every decision about vendor data must be documented with rationale, date, and approver; undocumented decisions are invisible to regulators
- Plan early for final transfer and database lock readiness - Confirm: when is final data transfer expected? What is the cutoff for corrections? When will reconciliation be complete? Who provides vendor closeout sign-off? These questions must be answered before lock week
Strong vendor management protects data integrity, prevents reconciliation delays, and supports database lock readiness.
This content is AI-assisted and expert-reviewed. All vendor management principles are aligned with ICH GCP E6(R2), CDISC data standards (CDASHIG, SDTMIG), GDPR Article 28, and clinical data management best practices. Content is intended for clinical research professionals for educational and professional development purposes.
About the Author
Neel Gajjar
CCDM®Clinical Data Manager II
Clinical Data Manager specialising in EDC systems, CDISC standards, and GCP-compliant data governance. Creator of the Clinical Research Learning Hub — a platform built to make rigorous clinical research education accessible to every professional in the field.
Connect on LinkedInAll content is expert-written and SME-reviewed. Regulatory references are verified against current ICH GCP E6(R2), FDA, and EMA guidance.



Comments
Leave a comment