Conversations That Matter
No deviation’s Takeaways from ISPE France Conference – Evolution of Supplier Relationships in Regulated SaaS Environments
Topic: A deep dive into how the supplier-client relationship is evolving in SaaS solutions for regulated industries like pharmaceuticals—focusing on the critical shift toward true partnership and shared responsibility.
Speaker: Philippe Lenglet – Dassault Systèmes 3DS Compliance & Risk
In highly regulated sectors, managing suppliers isn’t just about control—it’s about collaboration. As presented during the ISPE France Conference, the focus is shifting from transactional relationships to strategic partnerships where trust, clarity, and shared goals are non-negotiable.
“It’s not just about buying a tool or service anymore—it’s about building a relationship where success and compliance are collective responsibilities.”
Partnership: The New Foundation
In the past, managing suppliers could feel combative or bureaucratic. But today, especially in the context of SaaS, it’s all about partnership.
The keynote speaker reminded us how even terminology has evolved—from “supplier management” to “supplier involvement” and now to “partnership valorization.”
The critical takeaway? Successful projects require suppliers and clients to work together, with aligned interests and mutual respect.
“Partnership isn’t a buzzword—it’s the backbone of modern supplier relationships in regulated industries.”
Shared Responsibility: Understanding the SaaS Model
Unlike traditional software, SaaS solutions introduce a model of shared responsibility between provider and client.
The provider manages infrastructure and updates, but clients must still define their own requirements (URS), ensure compliant usage, and maintain operational control. Maturity plays a bigger role than company size.
“Even in a SaaS world, clients can’t outsource responsibility—they share it.”
The success of a SaaS project hinges on clear roles, constant communication, and an understanding that compliance remains a joint effort.
The Supplier’s Tightrope: Regulated Industries and Tech Expectations
Suppliers in pharma and other GxP industries must juggle multiple sets of regulations:
- Compliance with tech industry standards (like ISO 27001)
- Specific regulatory demands of their clients’ industries (GxP, Annex 11)
Additionally, the fast-paced release cycles typical of SaaS (e.g., updates every 8 weeks) can seem risky to traditional pharma mindsets—but they offer critical advantages in security and functionality.
“Pharma is used to slow, controlled changes. SaaS lives in a fast, dynamic world. Bridging that gap is part of the partnership challenge.”
RFPs and Acceptance Criteria: Getting It Right from the Start
One striking point: clients often underestimate the importance of writing clear Requests for Proposal (RFP) and acceptance criteria.
Without defined requirements and evaluation methods, clients risk subjective audits and unmet expectations.
“If you don’t know what you want, no supplier—however good—can deliver it.”
Suppliers encourage clients to sharpen their specifications early, making the entire validation and audit process smoother and more robust.
Audits: Less Checkbox, More Insight
In regulated industries, audits are inevitable—but not all audits are created equal.
Generic audits (based solely on ISO certifications) miss the specifics of SaaS needs. The speaker advocated for more targeted audits focusing on:
- Software Development Life Cycle (SDLC)
- Integration of regulatory requirements (like Annex 11)
- Operational resilience and data integrity
Certifications like SOC 2 offer deeper insights into operational practices and controls.
“A good audit is not a threat—it’s a chance to learn, adapt, and build a better partnership.”
Documentation: Substance Over Format
Documentation expectations must evolve too.
Instead of rigidly demanding frozen Word documents, auditors and clients should focus on the clarity and usability of information—whether it’s a Word file, a Wiki page, or an online dashboard.
“Good documentation is understandable, current, and used—not just archived.”
The flexibility to adapt documentation methods (without losing regulatory alignment) is critical in fast-evolving SaaS environments.
Data Integrity and Exit Clauses: Preparing for Tomorrow
With regulations like the EU Data Act emerging, suppliers and clients must proactively manage:
- Data retention policies
- Backup and migration capabilities
- Exit strategies for switching providers
Surprisingly, many clients still lack clear data retention plans, exposing them to compliance risks.
“Owning your data lifecycle is not optional anymore—it’s part of compliance.”
Cooperation vs. Collaboration—and the Rise of DORA
The conference closed with a nuanced point: understanding the difference between cooperation (shared goals) and collaboration (shared actions).
With new regulations like DORA (Digital Operational Resilience Act) impacting tech suppliers—even those outside finance—contracts must reflect readiness to support clients during regulatory inspections and operational challenges.
“Suppliers aren’t just service providers anymore—they’re operational resilience partners.”
Partnership-Centered, Audit-Ready
In regulated industries, the SaaS revolution is not only technical—it’s relational.
Suppliers and clients must build partnerships grounded in transparency, shared responsibility, and proactive compliance.
Audits, RFPs, documentation, and data policies must all evolve in this new reality.
At No deviation, we believe the future of pharma and tech partnerships will be shaped by those who view compliance not as a constraint, but as a catalyst for excellence.
Want to go deeper?
Contact us at hello@nodeviation.com and let’s have a conversation… that matters.
