diff --git a/proposals/2140-terms-of-service-2.md b/proposals/2140-terms-of-service-2.md
index e4a3083b..568a50df 100644
--- a/proposals/2140-terms-of-service-2.md
+++ b/proposals/2140-terms-of-service-2.md
@@ -62,20 +62,21 @@ be dropped from all endpoints.
 Any request to any endpoint within `/_matrix/identity/v2`, with the exception
 of:
  * `/_matrix/identity/v2`
- * any `requestToken` endpoint
+ * any `requestToken` or `submitToken` endpoint
  * The new `$prefix/account/register` endpoint
  * The new `GET /_matrix/identity/v2/terms`
+ * `$prefix/logout`
 
 ...may return an error with `M_UNAUTHORIZED` errcode with HTTP status code 401.
 This indicates that the user must authenticate with OpenID and supply a valid
 `access_token`.
 
-`requestToken` endpoints are excluded from the auth check because they are used
-in the registration process before the user has an MXID and therefore cannot
-log in with OpenID. It is up to the IS to manage its privacy obligations
-appropriately when fulfilling these requests, bearing in mind that the user has
-not explicitly indicated their agreement to any documents, and may abort the
-registration process without doing so.
+`requestToken` and `submitToken` endpoints are excluded from the auth check
+because they are used in the registration process before the user has an MXID
+and therefore cannot log in with OpenID. It is up to the IS to manage its
+privacy obligations appropriately when fulfilling these requests, bearing in
+mind that the user has not explicitly indicated their agreement to any
+documents, and may abort the registration process without doing so.
 
 All other endpoints require authentication by the client supplying an access token
 either via an `Authorization` header with a `Bearer` token or an `access_token`