π TLDR: It is in part requirement and also best practice to explain the tools and third parties to which personal data is transferred in your business.
You should use vetted and secure tools and third parties to ensure these are secure
As a controller
Article 13(e) and Article 14(e) of the GDPR requires us to disclose recipients or categories of recipients to individuals on our Privacy Policy.
Article 13(f) and Article 14(f) requires us to disclose the transfers of personal data to outside the EEA and the security measures and mechanisms used for the transfer.
We achieve this by disclosing the tools and third parties we use, the security measures and their data residency in our Privacy Policy (under the Third Parties & Sub-Processors section), additionally, we explain the mechanisms used for such transfer in the International Transfers section.
Additionally, to show transparency and accountability it is a good practice to disclose the tools and third parties.
As a processor
Article 28(2) tells us that you should never engage with a new processor (a tool or third party) without written authorization from the controller (in other words your B2B Customers). To ensure this is true, normally a list of sub-processors is attached to our Data Processing Agreement.
This document needs to be signed by both parties so to reduce the time needed to close deals companies will normally publish their sub-processors on their website or on their publicly available DPA as seen below: