A sub-processor is any third party a processor brings in to help it process personal data on behalf of the original controller. If your SaaS vendor uses AWS for hosting, Datadog for logging, and a customer-support tool that touches personal data, those three are your sub-processors. Article 28 of the GDPR makes the controller responsible for the entire chain.
Two operational requirements drive most of the work. First, the processor has to maintain a current list of every sub-processor it uses for the controller's data. Second, the processor cannot add a new sub-processor without prior authorization from the controller, either through a general written authorization (with notice and a right to object before changes go live) or a specific authorization for each new vendor.
In practice, most enterprise DPAs use the general authorization model paired with a public sub-processor list and an email subscription for change notifications. That setup is what lets a vendor onboard a new infrastructure tool without renegotiating every customer DPA, while still giving customers the right to object before the change takes effect.
The procurement gotchas show up here every week. A vendor's sub-processor list is six months stale. A new AI vendor in the stack is not on it. A downstream sub-processor has a sub-processor of its own that nobody flagged. Each one of those is a real audit finding. The discipline is the same regardless of stack: keep the list current, notify on changes, document customer authorizations.