Acceptable Use

Policy
Document Type
Corporate Policy

© ASML 2021 - Confidential Confidential

Contents
Purpose ............................................................................................................................................ 3
Scope ............................................................................................................................................... 3
Requirements ................................................................................................................................... 3
Article 1: General acceptable use .................................................................................................... 3
Article 2: Personal account use ....................................................................................................... 3
Article 3: Device and media use ..................................................................................................... 4
Article 4: Network & information system use ................................................................................ 4
Article 5: Software use .................................................................................................................... 5
Article 6: Messaging / e-mail use .................................................................................................... 6
Article 7: Film and photography use ............................................................................................... 7
Article 8: Report incidents .............................................................................................................. 7
Article 9: Social media and cloud services use ............................................................................... 7
Responsibilities ............................................................................................................................... 8
Communication and Training.......................................................................................................... 8
Deviations........................................................................................................................................ 8
Definitions ....................................................................................................................................... 9
References ....................................................................................................................................... 9
Ownership ....................................................................................................................................... 9
Approval .......................................................................................................................................... 9
Revision history............................................................................................................................... 9
Obsolescence ................................................................................................................................. 10

© ASML 2021 - Confidential – Acceptable Use Policy page 2 of 10

Confidential
Purpose
The purpose of this policy is to provide employees with a set of rules in using ASML assets.
Information security is an important aspect of ASML’s corporate culture and is supported by the ASML
Code of Conduct, especially the business principle: “We protect our assets”. The Acceptable Use
Policy further details the Information Security policy.

Scope
This policy is binding for all Employees.

In the context of this Policy, an Employee is defined as: any person on ASML’s or an Affiliate’s payroll
or temporary workers assigned by a staffing agency who are under ASML’s or an Affiliate’s direct
supervision or control.

Requirements
Employees have direct access to all kinds of ASML information. This information exists in several
formats, like physically on paper or digitally on ASML provided or supported devices. You either have
access to this information or have it under your direct control. You are responsible to protect any
ASML information that you have access to.

Article 1: General acceptable use

AUP1.1: Employees must sign a document including appropriate confidentiality clauses before
accessing ASML’s information. Such documents may be an Employment Agreement, a Non-
Disclosure Agreement (NDA), or other agreements as deemed necessary and appropriate by ASML.
AUP1.2: Each employee is accountable for ensuring that critical information is available when
needed. Information must be stored in line with the Knowledge Protection Policy.

Article 2: Personal account use

AUP2.1: Each employee is accountable for all actions performed with his/her user account.
An employee must protect the user account by:
a) Choosing strong passwords that are not easily guessable.
b) Not using the ASML username and password within non-ASML applications.
c) Not sharing your username, password or, (soft)token PIN with other people.
d) Locking your screen whenever you leave your device unattended.
e) Not leaving your device unattended in a public space (such as airfields, cars and public
transportation).

© ASML 2021 - Confidential – Acceptable Use Policy page 3 of 10

Confidential
 f) Not leaving your device unattended in ASML public spaces (such as in the Plaza or in
hallways).
Additionally, ASML has controls in place for monitoring all information and activities on its
information systems and its communications infrastructure. Access to applications and data is
being logged and can be traced back to users.

Article 3: Device and media use

AUP3.2: Employees must take proper care when using a non-ASML device for ASML related
activities.
In principle you should only use an ASML (partial) managed device to conduct ASML business.
Specific instructions with respect to devices not managed by ASML, such as third-party
computers and measuring systems, are given on the IT Service Desk page on the intranet.
AUP3.3: Any employee configuring a privately owned device to install ASML applications or receive
ASML information, in doing so allows ASML the right to install software on that device to enforce
security controls necessary to protect ASML information. Examples of ASML applications or
information are MS Teams, ASML App, email, calendar.
Limitations:
a) Privately owned devices are not supported by the IT department and hence the IT Service
Desk does not provide support for issues other than with the configuration or usage of the
ASML application.
b) ASML cannot be held liable for loss, damage or data loss on a privately owned device due to
system or human error.
AUP3.5: Do not store information on removable storage media, such as external hard drives or USB
memory sticks. In exceptional cases, if from a business perspective it is required, make sure to use
ASML supplied storage media with encryption enabled.
AUP3.1: Employees must hand in ASML-owned assets (including, but not limited to computers,
mobile devices, and access badges) and remove ASML information from non-ASML owned assets
upon end of employment or assignment. If employees fail to do so, ASML reserves the right to
remotely wipe and delete ASML information.

Article 4: Network & information system use

AUP4.1: Only ASML (partial) managed devices may be connected to the ASML network. Specific
arrangements:
a) Non-ASML managed devices that only require access to the internet must use the ASML
WIFI guest network and are not allowed on the other internal ASML network segments.
b) Non-ASML managed devices from third parties that require access to ASML assets must be
connected to a separated part of the ASML network in line with the Communications Security
Policy.
It is not allowed to connect non-ASML managed devices to the ASML network, such as network
devices (e.g. wireless access points, hubs, and routers), laptops, desktops, and tablets.

© ASML 2021 - Confidential – Acceptable Use Policy page 4 of 10

Confidential
AUP4.2: It is not allowed to modify the ASML network infrastructure.
All cabling, wiring and wired and wireless network equipment within ASML offices and that which
connects ASML offices to external parties is under full control of ASML IT and Corporate Real
Estate (CRE). Only IT and CRE are permitted to make any changes, additions, or deletions to this
infrastructure.
AUP4.3: ASML provides information systems and services required for the performance and
fulfillment of job responsibilities. These services, such as e-mail, voice mail, telephone, and Internet
access, but also the use of IT systems such as a laptop/desktop and a home/shared directory, are for
the purpose of increasing productivity and not for non-business activities. However, occasional and
reasonable personal use of ASML electronic communication services is permitted, provided this does
not interfere with work performance or violate the ASML Code of Conduct.
AUP4.4: It is prohibited at any time on ASML information systems to generate, access, display, or
disseminate any material that violate or advocate the violation of the ASML Code of Conduct, ASML
Corporate Social Media Guidelines, or any laws & regulations.
ASML will report violations to the relevant authorities in any case it is required by applicable rules
and regulations or when deemed necessary by ASML (e.g. internal policies, procedures and
guidelines).
AUP4.5: ASML controls electronic personal data processed through ASML information systems to
protect health, safety and security and to ensure integrity.
The information systems and networks within ASML are property of ASML and are meant for
business purposes only (AUP4.3). ASML has the right to process employee related data if
needed to protect health, safety and security and to ensure integrity, in compliance with
applicable privacy laws and regulations.
ASML processes personal data of its users as described within the ASML Privacy Notice for
Workers. In particular, and with specific regards to the protection of health, safety and security
and to ensure integrity, ASML processes personal data based on legitimate interests, for example
to be able to detect fraud and prevent crime and to monitor, detect and protect the organization,
its employees, systems, network, infrastructure, computers, information, intellectual property and
other rights from unwanted security intrusion, unauthorized access, disclosure and acquisition of
information, data and system breaches, hacking, industrial espionage and cyberattacks.
ASML also monitors employee accounts to observe compliance with ASML's policies and
regulations, such as the Code of Conduct and ASML Policies. These policies can be found on the
Corporate Policy Portal.
Therefore, employees should be aware that ASML might access their data stored on ASML
information systems or otherwise processed in or through ASML IT infrastructure.
AUP4.6: Content inspection of encrypted communication may occur, provided that such inspection
does not conflict with (privacy) laws and regulations.

Article 5: Software use

AUP5.1: It is prohibited to download, install, record, store, play, upload, transmit, make available, or
otherwise distribute copyrighted material not owned by or licensed to ASML on ASML owned devices.
AUP5.2: Personal use of copyrighted materials owned or licensed by ASML is only allowed if
copyright restrictions are adhered to. It is forbidden to use copyrighted materials owned or licensed by
ASML for commercial use outside of ASML.

© ASML 2021 - Confidential – Acceptable Use Policy page 5 of 10

Confidential
AUP5.3: In order to protect the ASML environment, ASML has taken a number of security measures
such as virus / malware and access management controls. It is not allowed to disable or remove
these measures.
AUP5.4: ASML reserves the right to conduct software audits on ASML owned devices at any time.
Software not licensed to ASML on the ASML managed part of the device will be removed.

Article 6: Messaging / e-mail use

Internal ASML
AUP6.1: Each Employee may only use their own name as the sender of email and their ASML
account for business related communication.
In the case of e-mail, you may only use your own name as the sender of the e-mail. Do not use
your own private mail to conduct ASML business. Do not communicate ASML non-public
information with third party employees using their private email address. If you are a third party
employee, you may not use your third-party company name in signing an ASML e-mail.
AUP6.2: Auto-forward emails to addresses outside ASML is not allowed.
It is not allowed to automatically forward e-mail messages to addresses outside of ASML. When
you do forward a message manually, make sure any attachments are appropriate and necessary.
AUP6.3: All data entering or leaving ASML must be free of malware.
Malware can cause severe disruption to ASML’s business operation; therefore, it is important to
guard ASML information and systems against malware. Each ASML managed device should be
provided with malware scanning software. New malware scanning updates are automatically
distributed to these devices. The use of malware scanning software is effective but cannot
provide 100% protection. You are also an important factor in protecting against malware:
a) You should never open e-mails that seem untrustworthy to you (from non-trusted
sources).
b) You should never open attachments that come from an unknown or suspected source.
c) Be careful with opening e-mail marked as “Spam” or “Phish” and report these messages
using the “Phish” button in Microsoft Outlook.
AUP6.6: In case the recipient has an email address in PIP/My Profile, this address should be used.
AUP6.7: Employees may send messages on behalf of other Employees when allowed by said
Employee, the delegation is made clear to the addressee and the delegator is in the CC-field.
Mentioning such delegation is not required in case:
a) The Internal Communication department sends messages on request of an ASML entity.
b) Personal assistants managing their manager’s calendars.
AU6.8: On using Distribution Lists for sending information to a group of recipients, employees must
determine if the information is to be shared with everyone in the Distribution List:
a) Is there a “Need-to-Know” for everyone in the list (in line with the information classification)?
b) Does the list contain external e-mail addresses that should not receive the information?
c) Is the Distribution List maintained?

© ASML 2021 - Confidential – Acceptable Use Policy page 6 of 10

Confidential
External to ASML
AUP6.4: It is allowed to have an external company email account registered within ASML instead of
an ASML personal email account if there is a business need to do so. In this case the ASML personal
email account is deleted together with the corresponding mailbox.
Requirements are:
a) The line manager must approve this change.
b) The external email address must be clearly recognizable as belonging to the company of the
employee.
AUP6.5: The external company email account may be used for ASML business related email
communication provided that information is adequately protected in line with the information
classification and the Knowledge Protection Policy.

Article 7: Film and photography use

AUP7.1: Film and Photography on ASML premises is not allowed unless under specific circumstances
as defined in the Photo & film security standard.
AUP7.2: Emails with films and photographs with ASML information must be emailed from an ASML
email address only.
AUP7.3: To email (or send in other ways) films and photographs with ASML information, all
Knowledge Protection Policy rules, including the Knowledge Protection Information Sharing rules and
Knowledge Protection Information Handling rules, apply.

Article 8: Report incidents

AUP8.1: If you detect any event or circumstance that is in your opinion against ASML’s best interests
or violates this policy, you are required to report this to:
- Information Security, via information.security@asml.com;
If you would like to report anonymously:
- Corporate Ethics Office.
- It is also possible to contact your local trusted person.
AUP8.2: All Employees and contractors must report information security incidents and events as soon
as possible.
AUP8.3: Employees and contractors must never attempt to exploit or prove suspected vulnerabilities
without a management approved Pentest assignment, as this could cause damage to ASML and be
interpreted as potential misuse of ASML facilities.

Article 9: Social media and cloud services use

AUP9.1: Employees must only use ASML contracted cloud service providers. It is not allowed to
store or process ASML information in non-ASML contracted cloud services.

© ASML 2021 - Confidential – Acceptable Use Policy page 7 of 10

Confidential
 AUP9.2: Employees may post ASML related content to blogs, forums or other social media only if and
when the content does not violate the Code of Conduct and complies with ASML Corporate Social
Media Guidelines. Only “Public” classified technical information should be shared 1 and when
approaching to media outlets, you should obtain upfront approval from Corporate Communications.

Responsibilities
Corporate Communications
Corporate Communications is responsible for creating, maintaining and publishing of the Social Media
Guidelines.

Corporate Legal
Corporate Legal is responsible for providing legal advice and/or actions in relation to this policy.

Employee
All Employees at all locations are responsible for adhering to the policy statements above.

Human Resources
HR is responsible for sharing this policy towards Employees.

Policy Owner
Security Strategy, Risk & Architecture is responsible for creation, maintenance and publishing of this
policy.

Communication and Training

This standard is communicated within ASML utilizing the following channels:
- Human Resources process of hiring new employees.
- Information Security Policy Framework publication.
- Inclusion in HR process (signing by new employees).
Note: This is not an exhaustive list and the communication channels used may change over time.

Deviations
If it is necessary to deviate from the minimum requirements in this Policy or other ASML policies
referred to in in this Policy, the responsible manager should request a waiver from the Policy Owner.
It is only permissible to deviate from this Policy after a waiver has been requested and approved.
In case of any doubt or clarity as to the scope, the content or the interpretation of (parts of) this Policy,
advice must be asked from the direct manager and/or the Policy Owner.

1
Technical information is classified as “public” when available on public ASML channels (like ASML.com), when
mentioned in ASML presentations that are labeled “public”, or included in ASML-authored papers published in
official scientific journals. If this is not the case, the technical information should be submitted to and approved by
ASML’s Technical Publication Board (TPB) - TPB@asml.com.

© ASML 2021 - Confidential – Acceptable Use Policy page 8 of 10

Confidential
Definitions
The centralized information security definitions apply to this document as published on the
Information Security intranet page.

References
Related Regulation, Legislation or external Related Internal Documents
standard

ASML Code of Conduct

ASML Business Principles

Information Security Policy

Speak Up Policy

ASML Corporate Social Media Guidelines

Photo & Film Security Standard (draft)

Ownership
Policy Owner CISO
Contact for Policy Information or Feedback information.security.policies@asml.com

Approval
Policy Owner
Aernout Reijmer, CISO

Approval by Security Committee (Policy Sponsor) Roger Dassen, CFO

Approval date 23 March 2021
Scheduled review March 2026

Revision history
Author Date Version Status Description

Rowald Herijgers July ‘21 2.1 Final Front page template adjustment
Rowald Herijgers March ‘21 2.0 Final Final version approved in Security
Committee 23 March 2021
Rowald Herijgers February ‘21 1.8 Final Draft Security Committee feedback
processed, final version for approval
Security Committee

© ASML 2021 - Confidential – Acceptable Use Policy page 9 of 10

Confidential
Rowald Herijgers Jan 2021 1.7 Draft Review processed: SRMs, Privacy
Office, Legal, Comms, IT SDM
Rowald Herijgers Nov 2020 1.6 Final Draft Policy rationalization project, Sector
Security Risk Manager feedback
processed.
Rowald Herijgers Jan 2020 1.5-1.52 Draft Privacy Office adjustment of the
privacy statement in the policy. Kept
as input for rationalization of the
policy later this year.
Rowald Herijgers 15-May-19 1.4 Final Minor update: Policy Owner: CISO,
email address, Policy review cycle
and scheduled review date. Also
new information.security@asml.com
email address added.
Hotze de Jong, Sandra 8-Aug-12 1.0-1.3 Final Approval page has been added,
Konings and Wim additionally changed into policy
Sonnemans format, updated with new Code of
Conduct text an updated with
recently created related policies.

Obsolescence
This Policy Acceptable use of IT systems policy v1.4
replaces Mobile Device Management - Acceptable use of Smartphones and Tablets v4.12
IT Security Standard – Use of e-mail accounts v1.0

© ASML 2021 - Confidential – Acceptable Use Policy page 10 of 10

Confidential