Back to HomeLexa Help

Incident Response & Vulnerability Reporting

How to report security issues and what happens if there's a data incident

2 min readUpdated December 29, 2025

We take security seriously and have processes in place for both preventing and responding to security incidents. This article explains how to report vulnerabilities and what to expect if an incident occurs.

Reporting a Security Vulnerability

If you discover a security vulnerability in Lexa, please report it responsibly.

How to Report

Email us at: contact@lexa.sg

Please include:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact
  • Your contact information (optional, but helpful for follow-up)

What to Expect

  1. Acknowledgment: We will acknowledge receipt within 48 hours
  2. Investigation: Our team will investigate and assess the severity
  3. Resolution: We will work to fix the issue as quickly as possible
  4. Communication: We will keep you informed of progress (if contact provided)

Responsible Disclosure

We ask that you:

  • Do not publicly disclose the vulnerability before we've had a chance to fix it
  • Do not access or modify other users' data
  • Do not perform actions that could harm the service or other users

We appreciate security researchers who help us keep Lexa safe.

Our Incident Response Process

In the event of a security incident, we follow a structured response process:

1. Detection & Containment

  • Identify the scope and nature of the incident
  • Contain the issue to prevent further impact
  • Preserve evidence for investigation

2. Investigation

  • Determine what data was affected
  • Identify how the incident occurred
  • Assess the impact on users

3. Notification

  • Affected Users: We will notify affected users directly via email
  • Timing: Notification within 72 hours of confirming a data breach
  • Content: What happened, what data was affected, what we're doing about it

4. Remediation

  • Fix the underlying issue
  • Implement additional safeguards
  • Document lessons learned

What We Consider a Reportable Incident

We will notify users if there is:

  • Unauthorized access to personal data
  • Data exposure due to a security vulnerability
  • Loss or theft of data

We will not notify for:

  • Unsuccessful attack attempts
  • Vulnerabilities discovered and fixed before any data exposure
  • Service outages that don't involve data security

For Schools: Incident Coordination

If you are a school using Lexa:

  • We will notify your designated contact (typically the teacher who registered)
  • We can provide incident reports for your records
  • We will cooperate with any internal or regulatory investigations

Regulatory Reporting

For Singapore users, if an incident meets the threshold for notification under PDPA, we will:

  • Notify the Personal Data Protection Commission (PDPC) as required
  • Provide affected individuals with information about the breach
  • Cooperate with any PDPC investigation

Contact Information

PurposeContact
Security vulnerabilitiescontact@lexa.sg
Privacy inquiriescontact@lexa.sg
General supportcontact@lexa.sg

Pro Tip: Bookmark this page. If you ever suspect your account has been compromised, change your password immediately and contact us at contact@lexa.sg.

Previous
For Singapore Schools: PDPA & Consent
On this page