Article 28 of the GDPR is the section that governs the relationship between a controller (the organization that decides why and how personal data is processed) and a processor (the vendor that processes that data on the controller's behalf). It is the legal backbone of every modern Data Processing Agreement.
The article does three things that matter operationally. First, it requires controllers to use only processors that provide "sufficient guarantees" about appropriate technical and organizational measures. Second, it requires the processor relationship to be governed by a written contract with a specific list of mandated terms. Third, and this is where most teams get caught flat-footed, it requires the processor to obtain the controller's prior authorization before engaging any sub-processor, and to flag changes to the sub-processor list with enough notice for the controller to object.
In practice, Article 28 is the reason your sub-processor list cannot be a stale PDF. It is the reason your DPA needs to spell out what each party does on data-subject requests, breach notification, return or deletion of data at termination, and processor audits. And it is the reason a procurement reviewer will reject a vendor that cannot tell them, in writing, where the data goes after it leaves their server.
When an enterprise buyer asks about Article 28 compliance, they are usually asking three concrete questions: do you have a DPA we can sign, can you produce a current sub-processor list, and what is your notification mechanism when that list changes. Teams that can answer all three on the first pass close deals faster.